[dm-crypt] PKCS#11 support in cryptsetup

Johanna A johanna-a at mjao.org
Sat May 7 09:03:15 CEST 2016


I am aware that this has been previously discussed in the following threads:
http://www.saout.de/pipermail/dm-crypt/2013-May/003329.html
http://www.saout.de/pipermail/dm-crypt/2015-April/004667.html

I have been working on bringing PKCS#11 support to systemd's
"cryptsetup" (that uses libcryptsetup). However, maintainers of
systemd has suggested that cryptsetup may be a better place for this
functionality.

The relevant discussions on systemd are:
https://github.com/systemd/systemd/pull/2776
https://github.com/systemd/systemd/pull/3007

In a comment to the last pull request I suggest adding pkcs#11 support
in cryptsetup in a similar way as to how keyfiles are handled. In a
way keyfiles and pkcs#11 data objects are quite similar. Both are
accessiable via an URI (https://tools.ietf.org/html/rfc7512), both can
be read depending on size or until EOF.

The main problem is that pkcs#11 are accessed through a provider,
rather than a filesystem. Providers are not included in the kernel and
as such are less "accessible". I have tried to find a standard way of
enumerating providers in UNIX systems but unfortunately there seems to
be none. The closest seem to be p11-kit
(https://p11-glue.freedesktop.org/p11-kit.html).
I would suggest that the solution to this would be to accept a
provider through arguments.

What are your thoughts on this?


More information about the dm-crypt mailing list