From 392990639656d14db854aaf62d3a0a471c013111 Mon Sep 17 00:00:00 2001 From: Heiko Baums Date: Mon, 6 Dec 2010 16:05:43 +0100 Subject: cryptsetup: read keys for non-root LUKS partitions as raw data from block device For LUKS encrypted root partitions it is possible to store a keyfile hidden as raw data onto a USB stick with the dd command. This has the advantage, that the key is saved on a USB stick, but can't be found be just mounting the USB stick. The appropriate line in /etc/crypttab is similar to the kernel parameter in /boot/grub/menu.lst: home/dev/sdaXBLOCKDEVICE:OFFSET:SIZE [teg: fixed whitespace and expanded paths to binaries] Signed-off-by: Tom Gundersen --- rc.sysinit | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'rc.sysinit') diff --git a/rc.sysinit b/rc.sysinit index 9b16fb0..53ce678 100755 --- a/rc.sysinit +++ b/rc.sysinit @@ -152,6 +152,30 @@ if [[ -f /etc/crypttab && $CS ]]; then ASK) printf "\nOpening '$1' volume:\n" $CS $4 $open "$a" "$b" < /dev/console;; + /dev*) + ckdev=${3%%:*} + cka=${3#*:} + ckb=${cka#*:} + cka=${cka%:*} + ckfile=/dev/ckfile + ckdir=/dev/ckdir + case ${cka} in + *[!0-9]*) + # Use a file on the device + # cka is not numeric: cka=filesystem, ckb=path + /bin/mkdir ${ckdir} + /bin/mount -r -t ${cka} ${ckdev} ${ckdir} + /bin/dd if=${ckdir}/${ckb} of=${ckfile} >/dev/null 2>&1 + /bin/umount ${ckdir} + /bin/rmdir ${ckdir};; + *) + # Read raw data from the block device + # cka is numeric: cka=offset, ckb=length + /bin/dd if=${ckdev} of=${ckfile} bs=1 skip=${cka} count=${ckb} >/dev/null 2>&1;; + esac + $CS -d ${ckfile} $4 $open "$a" "$b" >/dev/null + /bin/dd if=/dev/urandom of=${ckfile} bs=1 count=`stat -c %s ${ckfile}` conv=notrunc >/dev/null 2>&1 + rm ${ckfile};; /*) $CS -d "$3" $4 $open "$a" "$b" >/dev/null;; *) -- cgit v1.2.3