fai and cryptsetup
Patrick Schoenfeld
patrick.schoenfeld at googlemail.com
Sun Sep 26 15:10:41 CEST 2010
Hi,
On Sun, Sep 26, 2010 at 01:30:48PM +0200, Michael Tautschnig wrote:
> Hmm, I thought that using the keyfile just meant "read key from this file" - can
> you just briefly confirm that this is not the case, i.e., using a keyfile is
> something totally different from using a passphrase?
it indeed is. I couldn't find any documentation backing up my statement
but I just experimented with it a bit. Fact is with a test passphrase
in a file beeing loaded to a keyslot its not possible to unlock that
keyslot by using the passphrase in the file as a passphrase.
Thats what will bite us here.
Hm, I've tried to create a patch but somehow I fail. Currently
I have come to a point where the luksFormat is ommitted for no
reason, making the following push commands fail.. really obscure.
Maybe you can have a look at it.
Regards,
Patrick
-------------- next part --------------
--- Commands.pm.orig 2010-09-26 13:16:01.695888267 +0200
+++ Commands.pm 2010-09-26 15:09:39.735889160 +0200
@@ -251,8 +251,10 @@
} elsif ($mode =~ /^luks:"([^"]+)"$/) {
my $keyfile = "$ENV{LOGDIR}/$enc_dev_short_name";
- # use specified key for encryption
- &FAI::push_command("echo '$1' | tee $keyfile", "", "keyfile_$real_dev");
+ # create a temporary keyfile
+ &FAI::push_command(
+ "head -c 2048 /dev/urandom | head -n 47 | tail -n 46 | od | tee $keyfile",
+ "", "keyfile_$real_dev" );
# encrypt
&FAI::push_command(
"yes YES | cryptsetup luksFormat $real_dev $keyfile -c aes-cbc-essiv:sha256 -s 256",
@@ -260,6 +262,12 @@
&FAI::push_command(
"cryptsetup luksOpen $real_dev $enc_dev_short_name --key-file $keyfile",
"crypt_format_$real_dev", "exist_$enc_dev_name" );
+ # use specified key for encryption
+ &FAI::push_command(
+ "yes '$1' | cryptsetup luksAddKey --key-file $keyfile $real_dev" );
+ # remove the temporary keyfile
+ &FAI::push_command(
+ "yes '$1' | cryptsetup luksRemoveKey $real_dev $keyfile" );
# add entries to crypttab
push @FAI::crypttab, "$enc_dev_short_name\t$real_dev\tnone\tluks";
More information about the linux-fai
mailing list