My notes on making encrypted filesystems 'Just Work(tm)'
W. Michael Petullo
mike at flyn.org
Wed Dec 15 19:24:07 PST 2004
>> This is why I propose passing these parameters using pipes. Instead of
>> reading its environment, a script could read its parameters from stdin.
>> If we don't do something like this I don't know how hald would pass a
>> passphrase to methods.d/Crypto/Sesame/Setup safely.
> Right, OK, I hear you, we should think of something here. Using a pipe
> to extract arguments seems like a good idea; I'll factor that in as
> another possibility when specifying the mapping from interfaces/methods
> to binaries, including how to pass the arguments (environment,
> positional parameters, pipe or a combination) (might be specified as
> properties you can merge using a .fdi file; might be XML files - we'll
> see).
I have a prototype "Setup" script written in bash that should allow us
to discuss this portion further. Before I present the script, here is
the cryptheader I used:
================================================================================
# SESAME_MAGIC
# Required fields
version = '0'
uuid = '0123-4567-89ab-cdef'
block_key_cipher = 'aes'
block_key_sha1 = '920f002e08b3d4ff3882a8be98889af2d60b76a9'
# Required if block key is here
enc_key_cipher = 'aes'
enc_key = '53616c7465645f5f1e2a1d6798d8eb7aa3b74645d3e12138e7fa974bf06fa8cbfc0d82ec71f63ec9f38c1e0d624b0627a6ba85308ed2a3e0f288777f2c10fd35683ad952dff63603293459b98089b22c98294ff1a57a5b9ff0f74961388e0c6c2755c6b9b3d4a158a62a184df2a934066bb7793c4590096409cd9762979319cda4ead189b28176c62386013a6de4ef76d42396e668dadc9d641779e0a8db81cf'
================================================================================
And here is the script:
================================================================================
#!/bin/bash
# FILE: sesame-setup -- Configure a dm-crypt device based on information
# provided by hal. A passphrase is read from stdin.
# AUTHOR: W. Michael Petullo <mike at flyn.org>
# DATE: 15 December 2004
# FIXME: this should be provided by hal when this script is executed.
UDI=/org/freedesktop/Hal/devices/block_0123-4567-89ab-cdef
PASSPHRASE=sesame
# Read the required information from hal.
BLOCK_KEY_CIPHER=`hal-get-property --udi="$UDI" --key volume.crypto_sesame.block_key_cipher`
BLOCK_KEY_SHA1=`hal-get-property --udi="$UDI" --key volume.crypto_sesame.block_key_sha1`
UUID=`hal-get-property --udi="$UDI" --key volume.crypto_sesame.uuid`
VERSION=`hal-get-property --udi="$UDI" --key volume.crypto_sesame.version`
DEVICE=`hal-get-property --udi="$UDI" --key block.device`
# FIXME: this should be published by hal -- a 128 bit key (as hex).
# for some reason hald is not providing this information.
#
# key was created with:
#
# dd if=/dev/urandom bs=1c count=128 | openssl enc -aes-256-ecb | xxd -p
#
# passphrase is "sesame" (see PASSPHRASE defined above)
ENC_KEY="53616c7465645f5f1e2a1d6798d8eb7aa3b74645d3e12138e7fa974bf06fa8cbfc0d82ec71f63ec9f38c1e0d624b0627a6ba85308ed2a3e0f288777f2c10fd35683ad952dff63603293459b98089b22c98294ff1a57a5b9ff0f74961388e0c6c2755c6b9b3d4a158a62a184df2a934066bb7793c4590096409cd9762979319cda4ead189b28176c62386013a6de4ef76d42396e668dadc9d641779e0a8db81cf"
# Decrypt the key using the passphrase.
# FIXME: uh oh, how do I pass both passphrase and data to openssl?
KEY=`echo "$ENC_KEY" | xxd -r -p | openssl enc -d -aes-256-ecb -pass "pass:$PASSPHRASE"`
# Check to make sure hash of key matches that provided by hal.
if [ "$BLOCK_KEY_SHA1" != `echo $KEY | sha1sum | awk '{ print $1 }'` ]; then
echo key sha1 hash does not match data provided by hal >&2
exit 1
fi
# Set up the dm-crypt device.
echo setting up $DEVICE using $BLOCK_KEY_CIPHER, default hash and 128 bit key
echo "$KEY" | cryptsetup -s 128 -c "$BLOCK_KEY_CIPHER" create "${UDI##*/}" "$DEVICE"
================================================================================
--
Mike
:wq
_______________________________________________
hal mailing list
hal at lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/hal
More information about the Hal
mailing list