Secondary Partition Encryption

Jesse Norell jesse at kci.net
Tue Jul 12 18:51:22 CEST 2016 

On Tue, 2016-07-12 at 16:32 +0200, Teddy Hogeborn wrote:
> Clayton Daley <clayton at ambsw.com> writes:
> 
> > Would the stock version of Mandos work for just a secondary partition?
> > For example if we only encrypted a "data" partition?
> 
> Yes, you could run mandos-client as a "keyscript" directly configured in
> the /etc/crypttab file.  (See crypttab(5).)  But you would have to
> configure this manually in /etc/crypttab after installation, and you may
> have to write a wrapper script to supply the needed arguments to
> mandos-client (--pubkey, --seckey, etc.) and use the wrapper script as
> the actual keyscript in crypttab.
> 
> However, I think that systemd does not support the keyscript setting in
> crypttab, so you would have to write a systemd "password agent" to run
> mandos-client - this would be more complex, I think.
> 
> /Teddy Hogeborn


We're using this keyscript file on jessie; these machines happen to be
running sysv-init, so I can't speak to it working with systemd or not.
The root device is handled automatically by mandos, and both the root
and secondary devices have the same luks key set (else you'd need to
point this script at a different pubkey/seckey).


# cat /etc/crypttab 
md1_crypt UUID=8864e039-2156-4f6a-8875-958a929ece54 none luks
md2_crypt UUID=6fd3a878-159f-416a-972a-f5c9984c340b none luks,keyscript=/etc/mandos/keyscript.sh,noearly
sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap
sdb2_crypt /dev/sdb2 /dev/urandom cipher=aes-xts-plain64,size=256,swap


# cat /etc/mandos/keyscript.sh 
#!/bin/sh

MANDOS_CLIENT=/usr/lib/mandos/plugins.d/mandos-client
PUBKEY=/etc/keys/mandos/pubkey.txt
SECKEY=/etc/keys/mandos/seckey.txt

if [ ! -f ${MANDOS_CLIENT} ]; then
  if [ -f /usr/lib/mandos/plugins.d/mandos-client ]; then
    MANDOS_CLIENT=/usr/lib/mandos/plugins.d/mandos-client
  elif [ -f /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client ]; then
    MANDOS_CLIENT=/usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client
  else
    echo "Error: mandos-client not found" 1>&2
    exit 1;
  fi
fi

if [ ! -f ${PUBKEY} ]; then
    echo "Error: pubkey (${PUBKEY}) not found.  Need to run mandos-keygen?" 1>&2
    exit 1;
fi
if [ ! -f ${SECKEY} ]; then
    echo "Error: seckey (${SECKEY}) not found.  Need to run mandos-keygen?" 1>&2
    exit 1;
fi

${MANDOS_CLIENT} --pubkey=${PUBKEY} --seckey=${SECKEY}



One nuisance is that mandos-client isn't in the default path, so you
have to specify the path to it based on the machine architecture type;
there's probably a way to do that progmatically, I just didn't look it
up.


-- 
Jesse Norell
Kentec Communications, Inc.
970-522-8107  -  www.kci.net

More information about the Mandos-Dev mailing list