Ubuntu Feisty 7.04 - Cryptsetup

James Crocker mail at james.crocker.name
Sun Jul 1 02:40:50 BST 2007 

Hello,

I'm trying to communicate with the maintainers of crypsetup for Ubuntu.
If you are not the correct party please direct me to the appropriate
party. Thank you.

With regards to crypsetup for Ubuntu; great stuff. Thanks for all the
efforts in supporting encrypted systems.

I've identified that the current cryptroot scripts are capable of
utilizing keys on a separate storage device via the options 'key' and
'keyscript'. 

I've implemented a Two Form factor system authentication utilizing a USB
CryptKey. Unfortunately, the 'local-top/cryptroot' is unable to process
a keyscript that requires user input and other i/o redirections. 

I struggled back and forth with using the existing infrastructure but
was unable to affect a remedy. In the end I added a switch 'twoform' to
supply via crypttab. 

This additional switch triggers logic which allows for additional user
input from the console to fetch a requested keyfile. 

By adding a new switch I think I've avoided breaking any existing
implementations that rely on key and keyscript.

I've created a community document about Feisty and two form factor key
setup for whole disk encryption:
https://help.ubuntu.com/community/FeistyLUKSTwoFormFactor?highlight=%
28two%29%7C%28form%29

I'm contacting you in hopes of being able to apply these patch changes
to the cryptroot source for cryptsetup.

(The lvm vgchange is due to the fact that vgchange doesn't exist in the
initramfs. But 'lvm' can be called to do the same duty.)

I've attached the patch files for:
/usr/share/initramfs-tools/hooks/cryptroot
/usr/share/initramfs-tools/scripts/local-top/cryptroot

Thank you for your consideration.

Regards,

-James



-------------- next part --------------
158a159
>       TWOFORM=0
225a227,230
>                       twoform=*)
>                               OPTIONS="$OPTIONS,$opt"
>                               TWOFORM=1
>                               ;;
236a242,249
> 
>       # If twoform set then it depends on "key" and KEYSCRIPT
>       if [ $TWOFORM -eq 1 ]; then
>               if [ "$key" = "none" ] || [ -z "$KEYSCRIPT" ]; then
>                       echo "cryptsetup: WARNING: target $target uses twoform a
nd depends on key and keyscript, skipped" >&2
>                       return 1
>               fi
>       fi
-------------- next part --------------
45a46
>       crypttwoform="" # TwoForm factor
70a72,74
>               twoform=*)
>                       crypttwoform=${x#twoform=}
>                       ;;
92c96
<       if [ ! -x /sbin/vgchange ] || [ "$vg" = "$1" ]; then
---
>       if [ ! -x /sbin/lvm ] || [ "$vg" = "$1" ]; then
107c111
<       vgchange -ay ${vg}
---
>       lvm vgchange -ay ${vg}
191a196
>       ckscon=y
203c208
<               if [ -n "$cryptkeyscript" ]; then
---
>               if [ -n "$cryptkeyscript" ] && [ "$ckscon" = "y" ]; then
208c213,220
<                       $cryptkeyscript $cryptkey < /dev/console | $cryptcreate --key-file=-
---
>                       
>                       if [ -z $crypttwoform ]; then
>                               $cryptkeyscript $cryptkey < /dev/console | $cryptcreate --key-file=-
>                       else
>                               $cryptkeyscript $cryptkey < /dev/console
>                               $cryptcreate --key-file=/mnt/cryptkeys$crypttwoform
>                       fi
> 
214a227,233
> 
>                       if [ -n "$cryptkeyscript" ]; then
>                               
>                               echo -n "Continue using the cryptkeyscript? [y/n]: "
>                               read ckscon < /dev/console
>                       fi
>                       
219a239,242
>               elif [ -n $crypttwoform ] && [ -n $cryptkeyscript ] && [ -e $cryptkey ]; then
>                       # The KEYSCRIPT was called at least once so,
>                       # call the key script again to unmount the usb device
>                       $cryptkeyscript $cryptkey45a46
>       crypttwoform="" # TwoForm factor
70a72,74
>               twoform=*)
>                       crypttwoform=${x#twoform=}
>                       ;;
92c96
<       if [ ! -x /sbin/vgchange ] || [ "$vg" = "$1" ]; then
---
>       if [ ! -x /sbin/lvm ] || [ "$vg" = "$1" ]; then
107c111
<       vgchange -ay ${vg}
---
>       lvm vgchange -ay ${vg}
191a196
>       ckscon=y
203c208
<               if [ -n "$cryptkeyscript" ]; then
---
>               if [ -n "$cryptkeyscript" ] && [ "$ckscon" = "y" ]; then
208c213,220
<                       $cryptkeyscript $cryptkey < /dev/console | $cryptcreate --key-file=-
---
>                       
>                       if [ -z $crypttwoform ]; then
>                               $cryptkeyscript $cryptkey < /dev/console | $cryptcreate --key-file=-
>                       else
>                               $cryptkeyscript $cryptkey < /dev/console
>                               $cryptcreate --key-file=/mnt/cryptkeys$crypttwoform
>                       fi
> 
214a227,233
> 
>                       if [ -n "$cryptkeyscript" ]; then
>                               
>                               echo -n "Continue using the cryptkeyscript? [y/n]: "
>                               read ckscon < /dev/console
>                       fi
>                       
219a239,242
>               elif [ -n $crypttwoform ] && [ -n $cryptkeyscript ] && [ -e $cryptkey ]; then
>                       # The KEYSCRIPT was called at least once so,
>                       # call the key script again to unmount the usb device
>                       $cryptkeyscript $cryptkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/ubuntu-motu/attachments/20070630/2103cafc/attachment.pgp

More information about the Ubuntu-motu mailing list