Bug 104381

Summary:	cryptsetup does not allow multiple encrypted partitions to be dealt with using one controlling password.
Product:	Gentoo Linux	Reporter:	Joshua (RETIRED) <joslwah>
Component:	[OLD] Core system	Assignee:	Benjamin Smee (strerror) (RETIRED) <strerror>
Status:	RESOLVED FIXED
Severity:	enhancement	CC:	base-system
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	This updates dm-crypt-start.sh to include the master_key functionality. Patch for dm-crypt-start.sh to add master capability. Patch for dm-crypt-start.sh to add master capability. (against sys-fs/cryptsetup-luks) Patch for dm-crypt-start.sh to add master capability. (against sys-fs/cryptsetup-luks) Updated patch to add master support to cryptsetup-luks.

Description Joshua (RETIRED) gentoo-dev

2005-08-31 07:24:43 UTC

Currently if you want to have multiple encrypted partitions (ignoring swap and
similar recreated-each-time partitions) you have to enter either a password or a
pgp password for each partition.  This patch changes that.  

The basic outline of the patch is that you have a "master" keyfile.  This is
encrypted using one id and requires the user to supply the passphrase.  It
contains the passphrase for the id used to encrypt the keyfiles.  Therefore, the
passphrase is asked for once and all the different partitions that are desired
to be encrypted can be opened in one go.

Patch should be attached.


Reproducible: Always
Steps to Reproduce:
1.  Add the patch.
2.  Setup the gpg/pgp id's and the slave id's passphrase being encrypted with
the master's id.
3.  Store the keys for each partition encrypted with the slave's id. 

Actual Results:  
All partitions are mounted with only one passphrase request.

Expected Results:  
Without the patch you are required to enter passphrases multiple times.

Portage 2.0.51.22-r2 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r1,
2.6.11.10 i686)
=================================================================
System uname: 2.6.11.10 i686 Mobile Intel(R) Pentium(R) 4 - M CPU 1.80GHz
Gentoo Base System version 1.6.13
dev-lang/python:     2.3.5
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.18-r1
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O3 -march=pentium4 -funroll-loops -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/
/usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/
/usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/bind
/var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O3 -march=pentium4 -funroll-loops -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
LANG="en_GB.UTF-8"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/gentoo/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.asia.gentoo.org/gentoo-portage"
USE="x86 X alsa apm avi berkdb bitmap-fonts cdr cjk crypt curl dga dmx dvd eds
emacs emboss encode exiscan-acl fam flac foomaticdb gd gdbm gif gnome gstreamer
gtk gtk2 imagemagick imlib jpeg ldap libg++ libwww live mad mbox mikmod mmx
motif mp3 mpeg mule ncurses nls ogg oggvorbis opengl oss pam pdflib perl png
python readline real sdl server slang spell sse ssl tcltk tcpd tetex threads
tiff truetype truetype-fonts type1-fonts unicode usb vorbis xml2 xmms xv zlib
userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS

Comment 1 Joshua (RETIRED) gentoo-dev

2005-08-31 07:29:46 UTC

Created attachment 67342 [details, diff]
This updates dm-crypt-start.sh to include the master_key functionality.

Comment 2 Benjamin Smee (strerror) (RETIRED) gentoo-dev

2005-10-05 13:50:00 UTC

Sorry about the delay but i've been busy. At a quick look this diff does not
apply cleanly to the dm-crypt-start.sh in portage. Can you verify that it does
and if it doesn't submit a new one. Also please include all other relevant steps
ie changes to config files and steps in gpg so that others aside from myself
reading this know what you mean :)

Comment 3 Joshua (RETIRED) gentoo-dev

2005-10-12 05:41:29 UTC

Created attachment 70448 [details, diff]
Patch for dm-crypt-start.sh to add master capability.

I've changed the diff.	It did patch cleanly if you did a patch -l  8-).

How to use the new functionality:
    This is assuming you're already happy to set up cryptsetup using a PGP key.
 I.e. you know how to create the key in the right place, create the partition
with the key and put the encrypted key in the right place.

    We are going to need 1 key for each partition, and one extra.
1)    Create all the partition keys, and the partitions using them.
2)    Create a "master" key.  This master key will be used as the passphrase to
unlock the other keys.
3)    Now create two GPG keys.	For the first one use the "master" key as the
passphrase.  
4)    Encrypt the partition keys with the first account.
5)    Add the lines to /etc/conf.d/cryptfs as you would have before, pointing
the key at the encrypted keys.
6)    Encrypt the "master" key with the second account.
7)    Add a line to /etc/conf.d/cryptfs, before the first mount, that says
"master_key='<where_you_have_the_encrypted_master_key>'".
8)    Test.
9)    Get rid of all the unencrypted keys.

Strictly speaking line 7 is wrong.  You have to add the master_key line before
the first mount that uses the "master" key to encrypt the partition keys.  You
can have other mounts under the current system as well if you want but they
must be before the first mention of master_key.  If you have two master_keys
then you can use two sets of keys so that two passphrases are required to get
into the complete set of partitions.  (Why you would do this is beyond me.  If
you want to type in lots of passphrases then ignore the master_key system
completely.)

If you don't want to use the master_key functionality then just not having any
line starting with master_key returns to the previous functionality.

I hope this is clear.  Feel free to ask for more clarification.

Comment 4 Benjamin Smee (strerror) (RETIRED) gentoo-dev

2005-10-12 06:30:23 UTC

now I understand my problem, I was trying to patch the cryptsetup-luks script.
Would you mind looking at making a diff for the cryptsetup-luks
dm-crypt-start.sh as this is the package that is supported and recommended going
forwards (the cryptsetup author himself admits that cryptsetup is fully
deprecated by cryptsetup-luks). If you don't have the time / can't be bothered I
will do it but as I'm running low on time I would appreciate a patch from you :)

thanks for your contribution, one other thing, you might want to expand on the
gpg key creation ie step by step. (i'm going to write a HOWTO on this soon as
its causing a lot of confusion).

Comment 5 Joshua (RETIRED) gentoo-dev

2005-10-14 22:49:41 UTC

I'll have a look at this when I get some time.  I've already had a quick look at
it and it doesn't appear to be too difficult to port across.

Comment 6 Joshua (RETIRED) gentoo-dev

2005-11-20 22:36:11 UTC

Created attachment 73278 [details, diff]
Patch for dm-crypt-start.sh to add master capability.  (against sys-fs/cryptsetup-luks)

This is a patch against cryptsetup-luks giving master passphrase capability. 
In addition to the previous possibilities it also allows the use of luks's
multiple passphrases so that you can just encrypt one passphrase to use to
unlock each partition, ala luks mode.  You still have to gpg encrypt a master
passphrase though, just not the separate partition keys.

Sorry it is so late.  Life got in the way and then I had some questions about
security issues to overcome.

Comment 7 Joshua (RETIRED) gentoo-dev

2005-11-20 22:36:30 UTC

Created attachment 73279 [details, diff]
Patch for dm-crypt-start.sh to add master capability.  (against sys-fs/cryptsetup-luks)

This is a patch against cryptsetup-luks giving master passphrase capability. 
In addition to the previous possibilities it also allows the use of luks's
multiple passphrases so that you can just encrypt one passphrase to use to
unlock each partition, ala luks mode.  You still have to gpg encrypt a master
passphrase though, just not the separate partition keys.

Sorry it is so late.  Life got in the way and then I had some questions about
security issues to overcome.

Comment 8 Benjamin Smee (strerror) (RETIRED) gentoo-dev

2005-11-23 07:24:41 UTC

thanks for your contribution. I will run some tests myself over the next little
while and add to portage shortly assuming all is in order.

Comment 9 Benjamin Smee (strerror) (RETIRED) gentoo-dev

2005-11-24 16:06:35 UTC

Out of curiousity have you tested this and got it running on a live system? Can
you include an example /etc/conf.d/cryptfs? I am trying a few things now but
running into some problems and would like to see what your cryptfs looks like
before I make any changes.

Comment 10 Benjamin Smee (strerror) (RETIRED) gentoo-dev

2005-11-24 16:51:01 UTC

I've solved the previous problems and have one issue remaining (well two, but
that is more of a user error as using --key-file when using a small test pass
phrase will be automatically padded and is therefore not the same as echo
passphrase | cryptsetup etc etc) and that is that we currently don't have a
static gnupg ebuild for 1.9. That said it otherwise looks fine. I shall look to
include it soon.

Comment 11 Benjamin Smee (strerror) (RETIRED) gentoo-dev

2005-11-25 16:08:13 UTC

further testing has shown this patch is not working as you have it documented.
Can you confirm that you have tested this and set it up on a machine? If you
have can you please send me the /etc/conf.d/cryptfs that you are using, but from
what I can see this script will not work as it is.

Comment 12 Joshua (RETIRED) gentoo-dev

2005-12-19 06:30:34 UTC

Created attachment 75094 [details, diff]
Updated patch to add master support to cryptsetup-luks.

This doesn't do very much error checking.  In particular it doesn't check that the user has put their gpg keys in the right place, which is /.gnupg/ and not /root/.gnupg/.

Not sure how much error checking should be present in a config file, but getting this one wrong is pretty nasty.

Comment 13 Joshua (RETIRED) gentoo-dev

2006-03-08 00:40:54 UTC

Any progress on this?

Comment 14 Benjamin Smee (strerror) (RETIRED) gentoo-dev

2006-03-08 03:06:53 UTC

I'll be looking at this shortly, I was away for a while and I've not had access to my test kit for even longer. I should get around to it in the next week or so.

Comment 15 Benjamin Smee (strerror) (RETIRED) gentoo-dev

2006-10-12 04:09:21 UTC

superceded by 1.0.3-r3, closing this bug. Feel free to raise a new bug if you have functionality that you think the new version misses but make the diffs against the new scripts.