diff options
| author | Heiko Baums <heiko@baums-on-web.de> | 2010-12-06 16:05:43 +0100 |
|---|---|---|
| committer | Tom Gundersen <teg@jklm.no> | 2010-12-06 16:05:43 +0100 |
| commit | 392990639656d14db854aaf62d3a0a471c013111 (patch) | |
| tree | ff45e2e4139ef7f7b8fa94a689038a901589b870 | |
| parent | 0a2d37b6dfe45c7949952c552f4d0e698d7998f4 (diff) | |
| download | initscripts-392990639656d14db854aaf62d3a0a471c013111.tar.xz | |
cryptsetup: read keys for non-root LUKS partitions as raw data from block device
For LUKS encrypted root partitions it is possible to store a keyfile hidden as raw data onto a USB stick with the dd command. This has the advantage, that the key is saved on a USB stick, but can't be found be just mounting the USB stick.
The appropriate line in /etc/crypttab is similar to the kernel parameter in /boot/grub/menu.lst:
home/dev/sdaXBLOCKDEVICE:OFFSET:SIZE
[teg: fixed whitespace and expanded paths to binaries]
Signed-off-by: Tom Gundersen <teg@jklm.no>
| -rwxr-xr-x | rc.sysinit | 24 |
1 files changed, 24 insertions, 0 deletions
@@ -152,6 +152,30 @@ if [[ -f /etc/crypttab && $CS ]]; then ASK) printf "\nOpening '$1' volume:\n" $CS $4 $open "$a" "$b" < /dev/console;; + /dev*) + ckdev=${3%%:*} + cka=${3#*:} + ckb=${cka#*:} + cka=${cka%:*} + ckfile=/dev/ckfile + ckdir=/dev/ckdir + case ${cka} in + *[!0-9]*) + # Use a file on the device + # cka is not numeric: cka=filesystem, ckb=path + /bin/mkdir ${ckdir} + /bin/mount -r -t ${cka} ${ckdev} ${ckdir} + /bin/dd if=${ckdir}/${ckb} of=${ckfile} >/dev/null 2>&1 + /bin/umount ${ckdir} + /bin/rmdir ${ckdir};; + *) + # Read raw data from the block device + # cka is numeric: cka=offset, ckb=length + /bin/dd if=${ckdev} of=${ckfile} bs=1 skip=${cka} count=${ckb} >/dev/null 2>&1;; + esac + $CS -d ${ckfile} $4 $open "$a" "$b" >/dev/null + /bin/dd if=/dev/urandom of=${ckfile} bs=1 count=`stat -c %s ${ckfile}` conv=notrunc >/dev/null 2>&1 + rm ${ckfile};; /*) $CS -d "$3" $4 $open "$a" "$b" >/dev/null;; *) |