[dm-crypt] cryptsetup with native PKCS#11 support
krzysztof at kress-net.com
Sun May 19 21:02:53 CEST 2013
I`m new here. The purpose of this email is PKCS#11 support in cryptsetup I`m working on.
In short: I need to encrypt disk with LUKS and store key on PKCS#11 compatible device. I now
there is a lot of example how to do this using gnupgp or openssl. The goal is to have key only on token,
retrieve upon 'luksOpen' operation based on PIN only.
What is working now is:
- key generation (as pass-phrase ) using smartcard/token hardware RNG
- encrypt a backup of the key using certificate from token upon 'luksFormat'
- decrypt key from file using privatekey from token upon 'luksOpen'
- all above extansions are build in into cryptsetup command (few new switches)
- dependencies are minimal - only pkcs11 library file for token is required (no libp11 or pkcs11-helper)
Later I will add storage of keyfile on token as data object.
As this job is for private use only, the code is a little messy and unclean.
So I want to open a discussion : is a native PKCS#11 support in cryptsetup needed? If yes, please give me any
possible hint can help. Or suggestion what or how to implement to make it secure.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dm-crypt