[dm-crypt] [PATCH] Network passphrase reading

Mario 'BitKoenig' Holbe Mario.Holbe at TU-Ilmenau.DE
Tue Jan 19 01:39:09 CET 2010


Bryan Kadzban <cryptsetup at kdzbn.homelinux.net> wrote:
> Hmm.  Indeed, askpass listens on several file descriptors, including
> /dev/console and a specific named pipe.  (Also on some sort of pipe or
> socket or something to splashy, whatever that is, and another pipe or
> socket or something to usplash, whatever *that* is.  Presumably those
> things are "infrastructure in Debian initramfs or boot scripts".)  It
> wouldn't be terribly difficult to make askpass listen on a socket
> directly as well (although again, you'd really want to build in some
> kind of encryption; sshd is probably easier).

It listens on /lib/cryptsetup/passfifo. This one you are able to reach
via ssh (dropbear in initramfs) and piping some passphrase into it in a
more or less secure manner (i.e. network traffic crypted via ssh).
I'm not aware of any generic socket it listens on. I personally wouldn't
feel well with a generic network socket for generic use (independent on
how far you personally would trust your local network) unless you'd use
some sort of public/private key authentication over it (smartcard
interaction or whatever).

> Looks like the way to get this all to fit together is to pipe askpass
> into cryptsetup, and move the select() multiplexing out of cryptsetup
> itself.  I suppose that works.

This is what Debian's initramfs does.
                cryptcreate="/sbin/cryptsetup -T 1 ...
                        cryptkeyscript="/lib/cryptsetup/askpass"
                     $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=-

> Would it be possible to drop askpass into the cryptsetup package here?

IMHO, the best way would be to provide askpass as cryptsetup/contrib
content.


regards
   Mario
-- 
Oh Du mein Koenig ... Eine Netzgroesse schrieb mal sinngemaess:
Du musst es so lesen wie ich es meine, nicht so wie ich es schreibe.
Ich meine es natuerlich so, wie Du es schreibst 8--)
                                    O.G. Schwenk - de.comm.chatsystems



More information about the dm-crypt mailing list