[dm-crypt] cryptsetup with native PKCS#11 support

Krzysztof Rutecki krzysztof at kress-net.com
Sun May 19 21:02:53 CEST 2013


Hi guys 

I`m new here. The purpose of this email is PKCS#11 support in cryptsetup I`m working on. 


In short: I need to encrypt disk with LUKS and store key on PKCS#11 compatible device. I now 
there is a lot of example how to do this using gnupgp or openssl. The goal is to have key only on token, 
retrieve upon 'luksOpen' operation based on PIN only. 


What is working now is: 
- key generation (as pass-phrase ) using smartcard/token hardware RNG 
- encrypt a backup of the key using certificate from token upon 'luksFormat' 
- decrypt key from file using privatekey from token upon 'luksOpen' 
- all above extansions are build in into cryptsetup command (few new switches) 
- dependencies are minimal - only pkcs11 library file for token is required (no libp11 or pkcs11-helper) 


Later I will add storage of keyfile on token as data object. 


As this job is for private use only, the code is a little messy and unclean. 


So I want to open a discussion : is a native PKCS#11 support in cryptsetup needed? If yes, please give me any 
possible hint can help. Or suggestion what or how to implement to make it secure. 


Regards 
Krzysztof Rutecki 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20130519/e24f28b8/attachment.html>


More information about the dm-crypt mailing list