Automated LUKS Unlocking
Nathaniel McCallum
npmccallum at redhat.com
Tue Mar 15 20:59:36 UTC 2016
Sorry for the cross-post! However, I figured it was the best way to
reach all the right people.
I'm the author of the Tang[1] project. In a nutshell, Tang provides a
way to bind an encrypted disk to a network. We currently provide
automated unlocking of the root volume (via initramfs/systemd).
However, one of our use cases is securing removable devices so that
they can only be unlocked when the host computer is on a secure
network. I have looked a bit at the code for GVFS and udisks, but it
wasn't immediately obvious to me the best way to proceed in adding
support for this. So I'm here looking for suggestions.
More or less, in order to automatically recover a disk's key we need
read access to the LUKS header and network access to perform the Tang
exchange. It would be my strong preference not to expose the metadata
in the LUKS header to unpriviledge users.
I attempted to test this by provisioning a USB key using Tang. Upon
insertion, GNOME (properly) prompts for the password. If I attempt to
unlock the disk in the background during this operation, the password
prompt is properly removed. However, the disk does not appear as a
standard removable disk any more in Nautilus.
Thoughts? Suggestions?
[1] https://github.com/latchset/tang
More information about the devkit-devel
mailing list