[gentoo-user] Cryptfs

[gentoo-user] Cryptfs

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 875 bytes --]

Hi list!

I think I have problems understanding the way /etc/conf.d/cryptfs works.

My goal is to open a Luks-mapping for /var with a gpg-encrypted file
on /boot and then open a mapping for /var/tmp with a plaintext file
on /var.

I thought it would work with the following settings:

/etc/conf.d/cryptfs

target=var
source='/dev/mapper/vg-crypt_var'
key='/boot/key.gpg:gpg'

target=var_tmp
source='/dev/mapper/vg-crypt_var_tmp'
key='/var/lib/tmp_key'

___________

/etc/fstab

/dev/mapper/var		/var 		reiserfs [...]
/dev/mapper/var_tmp	/var/tmp	reiserfs [...]

___________

I've read the warning in /etc/conf.d/cryptfs about /usr on a separate
partition and followed their advice.

However, the setup doesn't work. I'm not asked for the passphrase, the
mappings are not created. What did I forget? 

Thanks in advance!

Florian Philipp

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Cryptfs

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 1308 bytes --]

Am Samstag, 29. März 2008 schrieb Florian Philipp:

> My goal is to open a Luks-mapping for /var with a gpg-encrypted file
> on /boot and then open a mapping for /var/tmp with a plaintext file
> on /var.

See below. But while we're at it, can anybody tell me what's the advantage of 
a gpg-encrypted keyfile over a keyfile generated from /dev/urandom?

> I thought it would work with the following settings:
>
> /etc/conf.d/cryptfs

It's /etc/conf.d/dmcrypt nowadays.

> target=var
> source='/dev/mapper/vg-crypt_var'
> key='/boot/key.gpg:gpg'
>
> target=var_tmp
> source='/dev/mapper/vg-crypt_var_tmp'
> key='/var/lib/tmp_key'
>
>
> I've read the warning in /etc/conf.d/cryptfs about /usr on a separate
> partition and followed their advice.

Which warning, btw.? Works just fine here.

> However, the setup doesn't work. I'm not asked for the passphrase, the
> mappings are not created. What did I forget?

That the mappings are created all in one go before anything is mounted, so you 
can't put the keyfile for /var into /boot. The only thing that would work is 
to put the keyfile on the root fs, because that's the only one that is 
mounted when the mappings are created, like:

target='c-usr'
source='/dev/evms/usr'
key='/etc/crypt/keyfile'

Bye...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Cryptfs

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1966 bytes --]


On Sun, 2008-03-30 at 09:50 +0200, Dirk Heinrichs wrote:
> Am Samstag, 29. März 2008 schrieb Florian Philipp:
> 
> > My goal is to open a Luks-mapping for /var with a gpg-encrypted file
> > on /boot and then open a mapping for /var/tmp with a plaintext file
> > on /var.
> 
> See below. But while we're at it, can anybody tell me what's the advantage of 
> a gpg-encrypted keyfile over a keyfile generated from /dev/urandom?

Keys for urandom work great for /tmp and swap but how should I use this
for a partition which is supposed to keep its content between reboots?

> 
> > I thought it would work with the following settings:
> >
> > /etc/conf.d/cryptfs
> 
> It's /etc/conf.d/dmcrypt nowadays.

Interesting, why is there no hint that cryptfs is deprecated/obsolete?

> 
> > target=var
> > source='/dev/mapper/vg-crypt_var'
> > key='/boot/key.gpg:gpg'
> >
> > target=var_tmp
> > source='/dev/mapper/vg-crypt_var_tmp'
> > key='/var/lib/tmp_key'
> >
> >
> > I've read the warning in /etc/conf.d/cryptfs about /usr on a separate
> > partition and followed their advice.
> 
> Which warning, btw.? Works just fine here.
> 

"# Note when using gpg keys and /usr on a separate partition, you will
# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly
# and ensure that gpg has been compiled statically.
# See http://bugs.gentoo.org/90482 for more information."


> > However, the setup doesn't work. I'm not asked for the passphrase, the
> > mappings are not created. What did I forget?
> 
> That the mappings are created all in one go before anything is mounted, so you 
> can't put the keyfile for /var into /boot. The only thing that would work is 
> to put the keyfile on the root fs, because that's the only one that is 
> mounted when the mappings are created, like:
> 
> target='c-usr'
> source='/dev/evms/usr'
> key='/etc/crypt/keyfile'
> 
> Bye...
> 
> 	Dirk

Thanks, I'll try it.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Cryptfs

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 1158 bytes --]

Am Sonntag, 30. März 2008 schrieb Florian Philipp:

> On Sun, 2008-03-30 at 09:50 +0200, Dirk Heinrichs wrote:
> > Am Samstag, 29. März 2008 schrieb Florian Philipp:
> > > My goal is to open a Luks-mapping for /var with a gpg-encrypted file
> > > on /boot and then open a mapping for /var/tmp with a plaintext file
> > > on /var.
> >
> > See below. But while we're at it, can anybody tell me what's the
> > advantage of a gpg-encrypted keyfile over a keyfile generated from
> > /dev/urandom?
>
> Keys for urandom work great for /tmp and swap but how should I use this
> for a partition which is supposed to keep its content between reboots?

See my example below.

> > Which warning, btw.? Works just fine here.
>
> "# Note when using gpg keys and /usr on a separate partition, you will
> # have to copy /usr/bin/gpg to /bin/gpg so that it will work properly
> # and ensure that gpg has been compiled statically.
> # See http://bugs.gentoo.org/90482 for more information."

Ah, I see. Since I don't use gpg it doesn't matter to me.

> > target='c-usr'
> > source='/dev/evms/usr'
> > key='/etc/crypt/keyfile'

Bye...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Cryptfs

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 947 bytes --]

On Sun, 30 Mar 2008 09:50:47 +0200, Dirk Heinrichs wrote:

> > However, the setup doesn't work. I'm not asked for the passphrase, the
> > mappings are not created. What did I forget?  
> 
> That the mappings are created all in one go before anything is mounted,
> so you can't put the keyfile for /var into /boot. The only thing that
> would work is to put the keyfile on the root fs, because that's the
> only one that is mounted when the mappings are created, like:

You can if you add

pre_mount="mount /dev/mapper/boot /boot"

to the boot stanza of dmcrypt, it forces the filesystem to be mounted
immediately.

I ue a variant of this, where keys are stored on a dedicated partition.
The pre_mount and post_mount (which unmounts the filesystem) ensure that 
the keys are only visible for as long as it takes to mount the other
filesystems.


-- 
Neil Bothwick

Thesaurus: ancient reptile with an excellent vocabulary

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Cryptfs

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 1146 bytes --]

Am Sonntag, 30. März 2008 schrieb Neil Bothwick:
> On Sun, 30 Mar 2008 09:50:47 +0200, Dirk Heinrichs wrote:
> > > However, the setup doesn't work. I'm not asked for the passphrase, the
> > > mappings are not created. What did I forget?
> >
> > That the mappings are created all in one go before anything is mounted,
> > so you can't put the keyfile for /var into /boot. The only thing that
> > would work is to put the keyfile on the root fs, because that's the
> > only one that is mounted when the mappings are created, like:
>
> You can if you add
>
> pre_mount="mount /dev/mapper/boot /boot"
>
> to the boot stanza of dmcrypt, it forces the filesystem to be mounted
> immediately.
>
> I ue a variant of this, where keys are stored on a dedicated partition.
> The pre_mount and post_mount (which unmounts the filesystem) ensure that
> the keys are only visible for as long as it takes to mount the other
> filesystems.

I protect the root fs with a passphrase and all other volumes with a keyfile 
stored in this fs. No need to mount anything (however, I _do_ need an 
initramfs because of this).

Bye...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Cryptfs

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 734 bytes --]

On Sun, 30 Mar 2008 18:50:59 +0200, Dirk Heinrichs wrote:

> > I use a variant of this, where keys are stored on a dedicated
> > partition. The pre_mount and post_mount (which unmounts the
> > filesystem) ensure that the keys are only visible for as long as it
> > takes to mount the other filesystems.  
> 
> I protect the root fs with a passphrase and all other volumes with a
> keyfile stored in this fs. No need to mount anything (however, I _do_
> need an initramfs because of this).

That still means your keys are readable all the time, whereas mine
disappear long before the network comes up.


-- 
Neil Bothwick

Remember, it takes 47 muscles to frown
And only 4 to pull the trigger of a sniper rifle....

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Cryptfs

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 974 bytes --]

Am Sonntag, 30. März 2008 schrieb ext Neil Bothwick:
> On Sun, 30 Mar 2008 18:50:59 +0200, Dirk Heinrichs wrote:
> > I protect the root fs with a passphrase and all other volumes with a
> > keyfile stored in this fs. No need to mount anything (however, I _do_
> > need an initramfs because of this).
>
> That still means your keys are readable all the time,

By root only, chmod 400 is your friend.

> whereas mine 
> disappear long before the network comes up.

So what? If somebody cracks into your box and gains root access, he can't 
mount /boot and take the keys? You'll need SELinux to prevent this.

Bye...

	Dirk
-- 
Dirk Heinrichs          | Tel:  +49 (0)162 234 3408
Configuration Manager   | Fax:  +49 (0)211 47068 111
Capgemini Deutschland   | Mail: dirk.heinrichs@capgemini.com
Wanheimerstraße 68      | Web:  http://www.capgemini.com
D-40468 Düsseldorf      | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: www.keyserver.net

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Cryptfs

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 526 bytes --]

On Mon, 31 Mar 2008 07:36:52 +0100, Dirk Heinrichs wrote:

> > That still means your keys are readable all the time,  
> 
> By root only, chmod 400 is your friend.

But still readable.
> 
> > whereas mine 
> > disappear long before the network comes up.  
> 
> So what? If somebody cracks into your box and gains root access, he
> can't mount /boot and take the keys?

That's right, because the keys aren't in /boot ;-)


-- 
Neil Bothwick

WITLAG: The delay between delivery and comprehension of a joke.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Cryptfs

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 1020 bytes --]

Neil Bothwick schrieb:
> On Mon, 31 Mar 2008 07:36:52 +0100, Dirk Heinrichs wrote:
> 
>>> That still means your keys are readable all the time,  
>> By root only, chmod 400 is your friend.
> 
> But still readable.
>>> whereas mine 
>>> disappear long before the network comes up.  
>> So what? If somebody cracks into your box and gains root access, he
>> can't mount /boot and take the keys?
> 
> That's right, because the keys aren't in /boot ;-)

But they are somewhere. He who has cracked your box can simply look into
/etc/conf.d/dmcrypt to find out where your keyfile is stored and mount
that fs if needed. There's no difference in storing them on the root fs
directly, it will take the cracker just a few seconds longer to get it.

But hey, this answers my question about the sense of using gpg encrypted
keyfiles. :-)

Other possible solution is to put the keyfile(s) on an USB stick and
unplug this right after booting. I doubt I would always remember to do
so :-)

Bye...

	Dirk


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [gentoo-user] Cryptfs

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 450 bytes --]

On Mon, 31 Mar 2008 18:15:54 +0200, Dirk Heinrichs wrote:

> > That's right, because the keys aren't in /boot ;-)  
> 
> But they are somewhere. He who has cracked your box can simply look into
> /etc/conf.d/dmcrypt to find out where your keyfile is stored and mount
> that fs if needed.

Not without the password. That filesystem uses a password, not a keyfile.


-- 
Neil Bothwick

Blessed be the pessimist for he hath made backups.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Cryptfs

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 858 bytes --]

Am Dienstag, 1. April 2008 schrieb ext Neil Bothwick:
> On Mon, 31 Mar 2008 18:15:54 +0200, Dirk Heinrichs wrote:
> > > That's right, because the keys aren't in /boot ;-)
> >
> > But they are somewhere. He who has cracked your box can simply look
> > into /etc/conf.d/dmcrypt to find out where your keyfile is stored and
> > mount that fs if needed.
>
> Not without the password. That filesystem uses a password, not a keyfile.

You didn't tell this before. Now I finally got the whole picture.

Bye...

	Dirk
-- 
Dirk Heinrichs          | Tel:  +49 (0)162 234 3408
Configuration Manager   | Fax:  +49 (0)211 47068 111
Capgemini Deutschland   | Mail: dirk.heinrichs@capgemini.com
Wanheimerstraße 68      | Web:  http://www.capgemini.com
D-40468 Düsseldorf      | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: www.keyserver.net

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Cryptfs

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 598 bytes --]

On Tue, 1 Apr 2008 08:04:10 +0200, Dirk Heinrichs wrote:

> > Not without the password. That filesystem uses a password, not a
> > keyfile.  
> 
> You didn't tell this before. Now I finally got the whole picture.

You're right. I thought I had but checking back I see I didn't actually
mention that. I use something like this.

target=keys
source=/dev/lvg/keys
pre_mount="mount /dev/mapper/keys /mnt/tmp"
post_mount="umount /mnt/tmp; cryptsetup luksClose keys"

target=home
source='/dev/lvg/home'
key='/mnt/tmp/home.key'


-- 
Neil Bothwick

If you can't be kind, be vague.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]