Unlocking several crypto discs during boot

Xen list at xenhideout.nl
Sat Oct 14 23:30:16 UTC 2017 

Volker Wysk schreef op 15-10-2017 0:51:

> The unlocker tool could work like this:
> 
> "Hi! The volumes sda1, sda4 and sdb1 need unlocking. Please specify a
> passphrase."
> 
> Then it would try to unlock all the volumes with this passphrase. The 
> volumes
> which could be successfully unlocked would then be removed from the 
> list.

Oh yes, that's correct.

>> Then what if someone DOESN'T want to unlock a secondary drive
>> automatically?
> 
> You'd configure that the same way as it is now. I'm not sure, but 
> probably by
> specifying /dev/null as the keyfile in /etc/crypttab. A new special 
> value, just
> like "none" could also be introduce. For instance "locked".

I guess.

>> Not even a keyfile.
>> 
>> If you put LUKS into your root LV, and then CACHE the root LV, 
>> obviously
>> the CACHED DATA will ALSO be encrypted because on the outside it would
>> ALSO be scrambled data.
>> 
>> So the cache device would only see scrambled data.
> 
> You're right.
> 
> This way, we could also unite several hard disks for the root-LV. I 
> wasn't
> able to use both of my harddisks, when I installed Kubuntu 16.04.

You mean if you put a stripe raid there or something.

Yes that's easily done.

I don't think I have a real objection to your idea.

I don't like it much without configuration but I guess most people would 
want it by default.

I would prefer an option in /etc/crypttab that would say something like 
"reuse" but I thought something like that already existed...

But that's not the case. You would have to work with the FreeDesktop 
people and SystemD at present

to propose something (or a developer would).

https://www.freedesktop.org/software/systemd/man/crypttab.html

Unfortunately they really removed keyscript support.



I am not intimate about how normally the askpass thing is called or 
returns its value.

In principle you could write a keyscript that calls some ask password 
thing, writes down the password in a /run/ file.

Then when the keyscript is called again for the other volume, it reads 
the password from disk and doesn't need to ask it.

This happens in 16.04 before systemd is involved, so it will work just 
fine in 16.04 likely.

#!/bin/sh

[ -d /run/cryptsetup ] || /bin/mkdir /run/cryptsetup

[ -e /run/cryptsetup/rootpw ] &&
     /bin/cat /run/cryptsetup/rootpw || {
     pw=$(/bin/askpass)
     printf "%s" "$pw" | /bin/tee /run/cryptsetup/rootpw
}

--------------------

At that point you have what is needed.

You would need to copy mkdir cat and tee into the initramfs using a 
hook.

And know how to use the existing askpass thing.

So in fact if done right you can have your solution with nothing more 
than 2 files.

- keyscript
- /etc/initramfs-tools/hooks/copy_binaries

http://manpages.ubuntu.com/manpages/zesty/man8/initramfs-tools.8.html 
(search for copy_exec)


#!/bin/sh

. /usr/share/initramfs-tools/hook-functions

copy_exec /bin/mkdir /bin
copy_exec /usr/bin/tee /bin
copy_exec /bin/cat /bin



Or something like that.

More information about the ubuntu-users mailing list