[dm-crypt] [PATCH] Network passphrase reading
Mario 'BitKoenig' Holbe
Mario.Holbe at TU-Ilmenau.DE
Tue Jan 19 01:39:09 CET 2010
Bryan Kadzban <cryptsetup at kdzbn.homelinux.net> wrote:
> Hmm. Indeed, askpass listens on several file descriptors, including
> /dev/console and a specific named pipe. (Also on some sort of pipe or
> socket or something to splashy, whatever that is, and another pipe or
> socket or something to usplash, whatever *that* is. Presumably those
> things are "infrastructure in Debian initramfs or boot scripts".) It
> wouldn't be terribly difficult to make askpass listen on a socket
> directly as well (although again, you'd really want to build in some
> kind of encryption; sshd is probably easier).
It listens on /lib/cryptsetup/passfifo. This one you are able to reach
via ssh (dropbear in initramfs) and piping some passphrase into it in a
more or less secure manner (i.e. network traffic crypted via ssh).
I'm not aware of any generic socket it listens on. I personally wouldn't
feel well with a generic network socket for generic use (independent on
how far you personally would trust your local network) unless you'd use
some sort of public/private key authentication over it (smartcard
interaction or whatever).
> Looks like the way to get this all to fit together is to pipe askpass
> into cryptsetup, and move the select() multiplexing out of cryptsetup
> itself. I suppose that works.
This is what Debian's initramfs does.
cryptcreate="/sbin/cryptsetup -T 1 ...
$cryptkeyscript "$cryptkey" | $cryptcreate --key-file=-
> Would it be possible to drop askpass into the cryptsetup package here?
IMHO, the best way would be to provide askpass as cryptsetup/contrib
Oh Du mein Koenig ... Eine Netzgroesse schrieb mal sinngemaess:
Du musst es so lesen wie ich es meine, nicht so wie ich es schreibe.
Ich meine es natuerlich so, wie Du es schreibst 8--)
O.G. Schwenk - de.comm.chatsystems
More information about the dm-crypt