<div dir="ltr">While searching for more information about Teddy's response, I found the following:<div><div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><p style="margin:0px 0px 0.8em;padding:0px;width:auto;max-width:45em;color:rgb(51,51,51);font-family:monospace;font-size:12px;line-height:18px"><span class="" id="yui_3_10_3_1_1468345454050_55">> I have three luks partitions in /etc/crypttab ( /, /home/, /var) all<br>> of them with a keyscript definition. Systemd doesn't unlock /var<br>> and /home, whereas the root partition gets unlocked without<br>> problems, so it doesn't seem that the keyscript definition is not<br>> implemented.</span></p><p style="margin:0px 0px 0.8em;padding:0px;width:auto;max-width:45em;color:rgb(51,51,51);font-family:monospace;font-size:12px;line-height:18px">Explanation: The root partition is unlocked in initramfs with<br>cryptsetup's own scripts. The others are unlocked in the running<br>system, with systemd's implementation which is lacking support for<br>keyscript.</p></blockquote><div><a href="https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/comments/6">https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/comments/6</a></div></div><div><br></div><div>I'm on Ubuntu 14.04 so I assume this confirms Teddy's original assessment that I will not be able to use any script (but thanks for the sample scripts!).</div><div><br></div><div>So I ask myself... can initramfs mount the second disk (as well) while keyscript (and therefore Mandos) is available to me. I get the impression from this script (<a href="https://wiki.gentoo.org/wiki/Custom_Initramfs#Init">https://wiki.gentoo.org/wiki/Custom_Initramfs#Init</a>) that I could add another mount line. Before I spend time testing it, does anyone know for sure that this isn't going to work?</div></div><div><br></div><div>Thanks,</div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="font-family:arial;font-size:small">Clayton Daley</div><div style="font-family:arial;font-size:small"><br></div></div></div></div></div>
<br><div class="gmail_quote">On Tue, Jul 12, 2016 at 11:51 AM, Jesse Norell <span dir="ltr"><<a href="mailto:jesse@kci.net" target="_blank">jesse@kci.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, 2016-07-12 at 16:32 +0200, Teddy Hogeborn wrote:<br>
> Clayton Daley <<a href="mailto:clayton@ambsw.com">clayton@ambsw.com</a>> writes:<br>
><br>
> > Would the stock version of Mandos work for just a secondary partition?<br>
> > For example if we only encrypted a "data" partition?<br>
><br>
> Yes, you could run mandos-client as a "keyscript" directly configured in<br>
> the /etc/crypttab file. (See crypttab(5).) But you would have to<br>
> configure this manually in /etc/crypttab after installation, and you may<br>
> have to write a wrapper script to supply the needed arguments to<br>
> mandos-client (--pubkey, --seckey, etc.) and use the wrapper script as<br>
> the actual keyscript in crypttab.<br>
><br>
> However, I think that systemd does not support the keyscript setting in<br>
> crypttab, so you would have to write a systemd "password agent" to run<br>
> mandos-client - this would be more complex, I think.<br>
><br>
> /Teddy Hogeborn<br>
<br>
<br>
</span>We're using this keyscript file on jessie; these machines happen to be<br>
running sysv-init, so I can't speak to it working with systemd or not.<br>
The root device is handled automatically by mandos, and both the root<br>
and secondary devices have the same luks key set (else you'd need to<br>
point this script at a different pubkey/seckey).<br>
<br>
<br>
# cat /etc/crypttab<br>
md1_crypt UUID=8864e039-2156-4f6a-8875-958a929ece54 none luks<br>
md2_crypt UUID=6fd3a878-159f-416a-972a-f5c9984c340b none luks,keyscript=/etc/mandos/keyscript.sh,noearly<br>
sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap<br>
sdb2_crypt /dev/sdb2 /dev/urandom cipher=aes-xts-plain64,size=256,swap<br>
<br>
<br>
# cat /etc/mandos/keyscript.sh<br>
#!/bin/sh<br>
<br>
MANDOS_CLIENT=/usr/lib/mandos/plugins.d/mandos-client<br>
PUBKEY=/etc/keys/mandos/pubkey.txt<br>
SECKEY=/etc/keys/mandos/seckey.txt<br>
<br>
if [ ! -f ${MANDOS_CLIENT} ]; then<br>
if [ -f /usr/lib/mandos/plugins.d/mandos-client ]; then<br>
MANDOS_CLIENT=/usr/lib/mandos/plugins.d/mandos-client<br>
elif [ -f /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client ]; then<br>
MANDOS_CLIENT=/usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client<br>
else<br>
echo "Error: mandos-client not found" 1>&2<br>
exit 1;<br>
fi<br>
fi<br>
<br>
if [ ! -f ${PUBKEY} ]; then<br>
echo "Error: pubkey (${PUBKEY}) not found. Need to run mandos-keygen?" 1>&2<br>
exit 1;<br>
fi<br>
if [ ! -f ${SECKEY} ]; then<br>
echo "Error: seckey (${SECKEY}) not found. Need to run mandos-keygen?" 1>&2<br>
exit 1;<br>
fi<br>
<br>
${MANDOS_CLIENT} --pubkey=${PUBKEY} --seckey=${SECKEY}<br>
<br>
<br>
<br>
One nuisance is that mandos-client isn't in the default path, so you<br>
have to specify the path to it based on the machine architecture type;<br>
there's probably a way to do that progmatically, I just didn't look it<br>
up.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
Jesse Norell<br>
Kentec Communications, Inc.<br>
<a href="tel:970-522-8107" value="+19705228107">970-522-8107</a> - <a href="http://www.kci.net" rel="noreferrer" target="_blank">www.kci.net</a><br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Mandos-Dev mailing list<br>
<a href="mailto:Mandos-Dev@recompile.se">Mandos-Dev@recompile.se</a><br>
<a href="https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev" rel="noreferrer" target="_blank">https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev</a><br>
</div></div></blockquote></div><br></div></div>
<br>
<font face="Arial, Helvetica, sans-serif"><span style="font-size:13px"><b>The transmission of protected health information (PHI) and individually-identifiable personal information (IIPI) is regulated by federal and/or state privacy laws. Do not send PHI or IIPI to this email account. If you receive an email from this account that includes PHI or IIPI, (1) immediately delete the email without printing, forwarding or further distributing the content, and (2) send an email to this address and report all details of the incident. Your cooperation is appreciated.</b></span></font>