fai and cryptsetup

Patrick Schoenfeld patrick.schoenfeld at googlemail.com
Sun Sep 26 15:10:41 CEST 2010


Hi,

On Sun, Sep 26, 2010 at 01:30:48PM +0200, Michael Tautschnig wrote:
> Hmm, I thought that using the keyfile just meant "read key from this file" - can
> you just briefly confirm that this is not the case, i.e., using a keyfile is
> something totally different from using a passphrase?

it indeed is. I couldn't find any documentation backing up my statement
but I just experimented with it a bit. Fact is with a test passphrase
in a file beeing loaded to a keyslot its not possible to unlock that
keyslot by using the passphrase in the file as a passphrase.

Thats what will bite us here.
Hm, I've tried to create a patch but somehow I fail. Currently
I have come to a point where the luksFormat is ommitted for no
reason, making the following push commands fail.. really obscure.
Maybe you can have a look at it.

Regards,
Patrick
-------------- next part --------------
--- Commands.pm.orig	2010-09-26 13:16:01.695888267 +0200
+++ Commands.pm	2010-09-26 15:09:39.735889160 +0200
@@ -251,8 +251,10 @@
       } elsif ($mode =~ /^luks:"([^"]+)"$/) {
         my $keyfile = "$ENV{LOGDIR}/$enc_dev_short_name";
 
-        # use specified key for encryption
-        &FAI::push_command("echo '$1' | tee $keyfile", "", "keyfile_$real_dev");
+        # create a temporary keyfile
+	&FAI::push_command(
+          "head -c 2048 /dev/urandom | head -n 47 | tail -n 46 | od | tee $keyfile",
+          "", "keyfile_$real_dev" );
         # encrypt
         &FAI::push_command(
           "yes YES | cryptsetup luksFormat $real_dev $keyfile -c aes-cbc-essiv:sha256 -s 256",
@@ -260,6 +262,12 @@
         &FAI::push_command(
           "cryptsetup luksOpen $real_dev $enc_dev_short_name --key-file $keyfile",
           "crypt_format_$real_dev", "exist_$enc_dev_name" );
+        # use specified key for encryption
+	&FAI::push_command(
+	  "yes '$1' | cryptsetup luksAddKey --key-file $keyfile $real_dev" );
+	# remove the temporary keyfile
+	&FAI::push_command(
+	  "yes '$1' | cryptsetup luksRemoveKey $real_dev $keyfile" );
 
         # add entries to crypttab
         push @FAI::crypttab, "$enc_dev_short_name\t$real_dev\tnone\tluks";


More information about the linux-fai mailing list