Secondary Partition Encryption

Clayton Daley clayton at ambsw.com
Tue Jul 12 23:34:50 CEST 2016 

While searching for more information about Teddy's response, I found the
following:

> I have three luks partitions in /etc/crypttab ( /, /home/, /var) all
> > of them with a keyscript definition. Systemd doesn't unlock /var
> > and /home, whereas the root partition gets unlocked without
> > problems, so it doesn't seem that the keyscript definition is not
> > implemented.
>
> Explanation: The root partition is unlocked in initramfs with
> cryptsetup's own scripts. The others are unlocked in the running
> system, with systemd's implementation which is lacking support for
> keyscript.
>
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1451032/comments/6

I'm on Ubuntu 14.04 so I assume this confirms Teddy's original assessment
that I will not be able to use any script (but thanks for the sample
scripts!).

So I ask myself... can initramfs mount the second disk (as well) while
keyscript (and therefore Mandos) is available to me.  I get the impression
from this script (https://wiki.gentoo.org/wiki/Custom_Initramfs#Init) that
I could add another mount line. Before I spend time testing it, does anyone
know for sure that this isn't going to work?

Thanks,

Clayton Daley


On Tue, Jul 12, 2016 at 11:51 AM, Jesse Norell <jesse at kci.net> wrote:

> On Tue, 2016-07-12 at 16:32 +0200, Teddy Hogeborn wrote:
> > Clayton Daley <clayton at ambsw.com> writes:
> >
> > > Would the stock version of Mandos work for just a secondary partition?
> > > For example if we only encrypted a "data" partition?
> >
> > Yes, you could run mandos-client as a "keyscript" directly configured in
> > the /etc/crypttab file.  (See crypttab(5).)  But you would have to
> > configure this manually in /etc/crypttab after installation, and you may
> > have to write a wrapper script to supply the needed arguments to
> > mandos-client (--pubkey, --seckey, etc.) and use the wrapper script as
> > the actual keyscript in crypttab.
> >
> > However, I think that systemd does not support the keyscript setting in
> > crypttab, so you would have to write a systemd "password agent" to run
> > mandos-client - this would be more complex, I think.
> >
> > /Teddy Hogeborn
>
>
> We're using this keyscript file on jessie; these machines happen to be
> running sysv-init, so I can't speak to it working with systemd or not.
> The root device is handled automatically by mandos, and both the root
> and secondary devices have the same luks key set (else you'd need to
> point this script at a different pubkey/seckey).
>
>
> # cat /etc/crypttab
> md1_crypt UUID=8864e039-2156-4f6a-8875-958a929ece54 none luks
> md2_crypt UUID=6fd3a878-159f-416a-972a-f5c9984c340b none
> luks,keyscript=/etc/mandos/keyscript.sh,noearly
> sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap
> sdb2_crypt /dev/sdb2 /dev/urandom cipher=aes-xts-plain64,size=256,swap
>
>
> # cat /etc/mandos/keyscript.sh
> #!/bin/sh
>
> MANDOS_CLIENT=/usr/lib/mandos/plugins.d/mandos-client
> PUBKEY=/etc/keys/mandos/pubkey.txt
> SECKEY=/etc/keys/mandos/seckey.txt
>
> if [ ! -f ${MANDOS_CLIENT} ]; then
>   if [ -f /usr/lib/mandos/plugins.d/mandos-client ]; then
>     MANDOS_CLIENT=/usr/lib/mandos/plugins.d/mandos-client
>   elif [ -f /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client ];
> then
>     MANDOS_CLIENT=/usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client
>   else
>     echo "Error: mandos-client not found" 1>&2
>     exit 1;
>   fi
> fi
>
> if [ ! -f ${PUBKEY} ]; then
>     echo "Error: pubkey (${PUBKEY}) not found.  Need to run
> mandos-keygen?" 1>&2
>     exit 1;
> fi
> if [ ! -f ${SECKEY} ]; then
>     echo "Error: seckey (${SECKEY}) not found.  Need to run
> mandos-keygen?" 1>&2
>     exit 1;
> fi
>
> ${MANDOS_CLIENT} --pubkey=${PUBKEY} --seckey=${SECKEY}
>
>
>
> One nuisance is that mandos-client isn't in the default path, so you
> have to specify the path to it based on the machine architecture type;
> there's probably a way to do that progmatically, I just didn't look it
> up.
>
>
> --
> Jesse Norell
> Kentec Communications, Inc.
> 970-522-8107  -  www.kci.net
>
> _______________________________________________
> Mandos-Dev mailing list
> Mandos-Dev at recompile.se
> https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev
>

-- 
*The transmission of protected health information (PHI) and 
individually-identifiable personal information (IIPI) is regulated by 
federal and/or state privacy laws.  Do not send PHI or IIPI to this email 
account.  If you receive an email from this account that includes PHI or 
IIPI, (1) immediately delete the email without printing, forwarding or 
further distributing the content, and (2) send an email to this address and 
report all details of the incident.  Your cooperation is appreciated.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20160712/e45fdb2d/attachment.html>

More information about the Mandos-Dev mailing list