[dm-crypt] Using passdev and decrypt_derived together?

Martian martian at mafiainc.net
Mon Mar 5 13:23:11 CET 2012


Hi,

Recently I setup my Debian wheezy working laptop to have /home partition
encrypted using cryptsetup and passdev script to load the key from a SD
card inserted to my laptop's SD slot. In additional I have setup my swap
partition encrypted, because I red this is a highly recommended for
increased security.
So I have also root /, /tmp, /usr and /var partitions that I decided to
left unencrypted.

In order to have hibernate functionality I am trying to achieve
automatic decryption of swap partition using decrypt_derived script.
This means I want to have /home decrypted first by passdev (this I
configured and working fine) and then swap decrypted using
decrypt_derived from /home (this is not working in initrd for some reason)

Here is the configuration taken from initrd:
target=sda9_crypt,source=UUID=d8f706c5-5599-4b86-b8d4-abe55510c1c3,key=/dev/mmcblk0p1:/keys/sda9.luks.key,keyscript=/lib/cryptsetup/scripts/passdev
target=sda7_crypt,source=UUID=cbfb7208-8a2a-498a-87bd-ba7370a26731,key=sda9_crypt,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,keyscript=/lib/cryptsetup/scripts/decrypt_derived

I enabled debug on initramfs from grub bootloader and reviewed the file
/run/initramfs/initramfs.debug after boot process completed:
... cut ...
Begin: Running /scripts/local-top ... + run_scripts /scripts/local-top
+ initdir=/scripts/local-top
+ [ ! -d /scripts/local-top ]
+ [ -f /scripts/local-top/ORDER ]
+ . /scripts/local-top/ORDER
+ /scripts/local-top/cryptopensc
+ [ -e /conf/param.conf ]
+ /scripts/local-top/cryptroot
*cryptsetup: sda9_crypt set up successfully                    <- */home
partition decrypted successfully
*No key available with this passphrase.                        <- I
assume this is related to swap sda7_crypt
cryptsetup: cryptsetup failed, bad password or options?*       *<-* why?
No key available with this passphrase.
cryptsetup: cryptsetup failed, bad password or options?
No key available with this passphrase.
cryptsetup: cryptsetup failed, bad password or options?
+ [ -e /conf/param.conf ]
... cut ...

It seems like what happening later when initrd is completed and
/sbin/init is executed is that swap partition is mounted successfully
after all, but since this is not happening inside initrd the hibernate
feature is not working.

This is how it looks like after boot finished:
*# mount*
udev on /dev type devtmpfs
(rw,relatime,size=2017156k,nr_inodes=213275,mode=755)
devpts on /dev/pts type devpts
(rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=404528k,mode=755)
/dev/disk/by-uuid/c4b2d6d6-048d-43e4-9309-0a73aa7fe26c on / type ext4
(rw,relatime,errors=remount-ro,user_xattr,barrier=1,stripe=4,data=ordered)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,size=809056k)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,relatime,size=809056k)
*/dev/mapper/sda9_crypt on /home type ext4
(rw,relatime,user_xattr,barrier=1,data=ordered)*
/dev/sda8 on /tmp type ext4
(rw,relatime,user_xattr,barrier=1,stripe=4,data=ordered)
/dev/sda5 on /usr type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
/dev/sda6 on /var type ext4 (rw,relatime,user_xattr,barrier=1,data=ordered)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc
(rw,nosuid,nodev,noexec,relatime)

*# swapon -s*
Filename                Type        Size    Used    Priority
*/dev/mapper/sda7_crypt                  partition    8182780    16    -1*

Can anybody help either with suggestion why this isn't working or any
alternative approach? Is it insecure to use the different keys for both
/home and swap and to use passdev for both for example? Or may be left
swap unencrypted after all? (what exactly is compromised by this way?)

Thanks in advance!

Cheers,
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20120305/8df04682/attachment.html>


More information about the dm-crypt mailing list