Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 75659 - Using gpg to decrypt dm-crypt keys
Summary: Using gpg to decrypt dm-crypt keys
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] baselayout (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo's Team for Core System packages
URL: http://www.usrportage.de/article/122/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-25 17:16 UTC by Lars Strojny
Modified: 2005-02-09 17:17 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Patch for /etc/init.d/{checkfs,localmount} (dm-crypt_gentoo-init-script.diff,2.68 KB, patch)
2004-12-28 15:40 UTC, Lars Strojny 		Details | Diff
/etc/init.d/{checkfs,localmount} (patch,2.96 KB, patch)
2005-01-03 04:38 UTC, Lars Strojny 		Details | Diff
/etc/init.d/{checkfs,localmount} (patch,2.96 KB, patch)
2005-01-03 04:43 UTC, Lars Strojny 		Details | Diff
Patch for the patch. Bugfix for gpg_options (checkfs.new,481 bytes, patch)
2005-02-07 16:07 UTC, Lars Strojny 		Details | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Strojny 2004-12-25 17:16:03 UTC 
Here is a small patchset which makes it possible to use gpg for mounting dm-crypt devices. The keystring is entered via "echo" so it would be theoretically possible to watch the key in the process-list. But this should not be a real problem, because it would be just used while booting and there is no chance of logging in in this time.

$ diff -u checkfs.old checkfs
--- checkfs.old 2004-12-26 00:30:46.033791712 +0100
+++ checkfs     2004-12-26 01:32:04.088238520 +0100
@@ -215,7 +215,7 @@
 # here, make sure to change it there also!
 dm-crypt-start() {
        local cryptfs_status=0
-       local mountline mount swap options pre_mount post_mount source
+       local mountline mount swap options pre_mount post_mount source key

        if [ -f /etc/conf.d/cryptfs ] && [ -x /bin/cryptsetup ]; then
                ebegin "Setting up dm-crypt mappings"
@@ -231,10 +231,10 @@
                                        dm-crypt-execute

                                        # Prepare for the next mount/swap by resetting variables
-                                       unset mount swap options pre_mount post_mount source
+                                       unset mount swap options pre_mount post_mount source key
                                        ;;

-                               options=*|pre_mount=*|post_mount=*|source=*)
+                               options=*|pre_mount=*|post_mount=*|source=*|key=*)
                                        if [[ -z ${mount} && -z ${swap} ]]; then
                                                ewarn "Ignoring setting outside mount/swap section: ${mountline}"
                                                continue
@@ -283,8 +283,25 @@
        fi

        ebegin "dm-crypt map ${target}"
-       /bin/cryptsetup ${options} create ${target} ${source} >/dev/console </dev/console
-       eend $? "failure running cryptsetup"
+       if [[ -z ${key} ]]; then
+               /bin/cryptsetup ${options} create ${target} ${source} >/dev/console </dev/console
+               eend $? "failure running cryptsetup"
+       else
+               if [ -e "/usr/bin/gpg" ]; then
+                       retval=1
+                       while [ $retval -gt 0 ] ; do
+                               keystring=`gpg  --quiet -d ${key} 2>/dev/null </dev/console`
+                               if [ -z ${keystring} ]; then
+                                       retval=5
+                               else
+                                       echo ${keystring} | /bin/cryptsetup ${options} create ${target} ${source}
+                                       retval=$?
+                               fi
+                       done
+               else
+                       einfo "You have to install app-crypt/gpg first"
+               fi
+       fi
        if [[ $? != 0 ]]; then
                cryptfs_status=1
        else



$ diff -u localmount.old localmount
--- localmount.old      2004-12-26 01:38:43.072049232 +0100
+++ localmount  2004-12-26 01:39:45.331584344 +0100
@@ -49,7 +49,7 @@
 # here, make sure to change it there also!
 dm-crypt-start() {
        local cryptfs_status=0
-       local mountline mount swap options pre_mount post_mount source
+       local mountline mount swap options pre_mount post_mount source key

        if [ -f /etc/conf.d/cryptfs ] && [ -x /bin/cryptsetup ]; then
                ebegin "Running post_mount commands for dm-crypt"
@@ -65,10 +65,10 @@
                                        dm-crypt-execute

                                        # Prepare for the next mount/swap by resetting variables
-                                       unset mount swap options pre_mount post_mount source
+                                       unset mount swap options pre_mount post_mount source key
                                        ;;

-                               options=*|pre_mount=*|post_mount=*|source=*)
+                               options=*|pre_mount=*|post_mount=*|source=*|key=*)
                                        if [[ -z ${mount} && -z ${swap} ]]; then
                                                ewarn "Ignoring setting outside mount/swap section: ${mountline}"
                                                continue
Comment 1 SpanKY gentoo-dev 2004-12-26 00:34:58 UTC 
method,tigger: please review
Comment 2 Lars Strojny 2004-12-28 15:40:25 UTC 
Created attachment 47063 [details, diff]
Patch for /etc/init.d/{checkfs,localmount}

Updated version. Fixed the problem with echoing ${keystring} and some quoting
problems related to keys containing blanks or to binary keys.
Comment 3 Lars Strojny 2004-12-28 15:42:09 UTC 
btw: an example how to use the new config-option follows there:

$ cat /etc/conf.d/cryptfs
mount=crypt-home
source=/dev/vg/home
key=/root/home.key.asc
options='-c twofish -h plain'
Comment 4 rob holland (RETIRED) gentoo-dev 2004-12-31 02:48:08 UTC 
Looks good to me. Nice idea :)
Comment 5 Lars Strojny 2005-01-03 04:36:41 UTC 
Comment on attachment 47063 [details, diff]
Patch for /etc/init.d/{checkfs,localmount}

Patch is obsolete
Comment 6 Lars Strojny 2005-01-03 04:38:43 UTC 
Created attachment 47473 [details, diff]
/etc/init.d/{checkfs,localmount}

New version. Includes support for gpg_options, which makes it possible to
specify the options, gpg should use. This enhancement was reviewed with tigger^
in IRC.
Comment 7 Lars Strojny 2005-01-03 04:42:26 UTC 
Comment on attachment 47473 [details, diff]
/etc/init.d/{checkfs,localmount}

sorry, overhasty post. Overwrites the options for cryptsetup
Comment 8 Lars Strojny 2005-01-03 04:43:21 UTC 
Created attachment 47474 [details, diff]
/etc/init.d/{checkfs,localmount}

Fix the issue of overwriting crypsetup-options ($options). Sorry!
Comment 9 rob holland (RETIRED) gentoo-dev 2005-01-06 02:28:32 UTC 
This looks sane to me. *stamp of approval*
Comment 10 SpanKY gentoo-dev 2005-01-30 14:01:32 UTC 
now in cvs, thanks guys
Comment 11 Lars Strojny 2005-02-07 13:39:41 UTC 
Maybe it would be a good idea to mention the new options in the conf.d-skel.

btw: thanks for adding!
Comment 12 Lars Strojny 2005-02-07 16:07:36 UTC 
Created attachment 50681 [details, diff]
Patch for the patch. Bugfix for gpg_options

I detected that the default-value of gpg_options could never be set because
this routine must take place in the "if [[ -n ${mount} ]]"-Block because
otherwise it would never be executed and leads to bugs.
Comment 13 Lars Strojny 2005-02-07 16:08:47 UTC 
As a result of the patch which is explained above, I'm forced to reopen the bug. Sorry!
Comment 14 SpanKY gentoo-dev 2005-02-09 17:17:34 UTC 
added patch to cvs