Discussion:
Cache passphrase for cryptsetup?
(too old to reply)
Nikolaus Rath
2014-04-19 20:49:04 UTC
Permalink
Hello,

I have several LUKS encrypted volumes that use the same
passphrase. Before switching to systemd, I have used the decrypt_keyctl
keyscript to cache the passphrase, so that I have to enter it only once.

As far as I can tell, the systemd cryptsetup generator is ignoring the
keyscript option in /etc/crypttab when creating units.

Is there another way to achieve passphrase caching with systemd?


Thanks,
-Nikolaus
--
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

»Time flies like an arrow, fruit flies like a Banana.«
Matthew Monaco
2014-04-20 18:45:48 UTC
Permalink
Post by Nikolaus Rath
Hello,
I have several LUKS encrypted volumes that use the same
passphrase. Before switching to systemd, I have used the decrypt_keyctl
keyscript to cache the passphrase, so that I have to enter it only once.
As far as I can tell, the systemd cryptsetup generator is ignoring the
keyscript option in /etc/crypttab when creating units.
Is there another way to achieve passphrase caching with systemd?
Thanks,
-Nikolaus
No, 'keyscript' is not (currently) supported. IMHO, you're not reducing your
security any by e.g. unlocking /root and storing keys for the other volumes
there. If you did this, you might want to use a separate keyslot for the task
with a longer key that you don't/can't remember, just for kicks.

However, you could probably cook up some units that take your password, write it
to /run and then point all of your volumes their.

And of course, the third option would be to submit a patch. The src/cryptsetup
stuff is pretty straightforward.
Mantas Mikulėnas
2014-04-20 18:55:11 UTC
Permalink
Post by Matthew Monaco
And of course, the third option would be to submit a patch. The src/cryptsetup
stuff is pretty straightforward.
Wasn't one submitted just a month ago?
--
Mantas Mikulėnas <***@gmail.com>
David Härdeman
2014-04-25 14:34:15 UTC
Permalink
Post by Mantas Mikulėnas
Post by Matthew Monaco
And of course, the third option would be to submit a patch. The src/cryptsetup
stuff is pretty straightforward.
Wasn't one submitted just a month ago?
Yes, patches 1/3 and 2/3 were committed very recently and I still need
to post patch 3/3. Then a separate patch is necessary for the cryptsetup
package in Debian and after that, keyscript= will work for Debian at
least.
--
David Härdeman
Nikolaus Rath
2014-04-20 23:45:09 UTC
Permalink
Post by Matthew Monaco
Post by Nikolaus Rath
I have several LUKS encrypted volumes that use the same
passphrase. Before switching to systemd, I have used the decrypt_keyctl
keyscript to cache the passphrase, so that I have to enter it only once.
As far as I can tell, the systemd cryptsetup generator is ignoring the
keyscript option in /etc/crypttab when creating units.
Is there another way to achieve passphrase caching with systemd?
No, 'keyscript' is not (currently) supported. IMHO, you're not reducing your
security any by e.g. unlocking /root and storing keys for the other volumes
there.
Agreed, but it doesn't help much. You have to unlock swap first or it
will break hibernation, which means you still need to enter the password
at least twice.
Post by Matthew Monaco
However, you could probably cook up some units that take your
password, write it to /run and then point all of your volumes their.
Good idea (though it wouldn't be units but initramfs hooks), thanks!

Best,
-Nikolaus
--
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

»Time flies like an arrow, fruit flies like a Banana.«
Lennart Poettering
2014-04-22 04:57:14 UTC
Permalink
Post by Nikolaus Rath
Hello,
I have several LUKS encrypted volumes that use the same
passphrase. Before switching to systemd, I have used the decrypt_keyctl
keyscript to cache the passphrase, so that I have to enter it only once.
As far as I can tell, the systemd cryptsetup generator is ignoring the
keyscript option in /etc/crypttab when creating units.
Is there another way to achieve passphrase caching with systemd?
If you use systemd with plymouth you will get this automaticaly, as
plymouth will cache the password for you.

There has been a long-standing TODO list item to use the kernel keyring
as cache for HDD passwords, and then optionally even open this up to be
useful for no-password logins for default users, which can be used to
unlock the gnome keyring or suchlike.

Lennart
--
Lennart Poettering, Red Hat
Continue reading on narkive:
Loading...