My notes on making encrypted filesystems 'Just Work(tm)'

W. Michael Petullo mike at
Wed Dec 15 19:24:07 PST 2004

>> This is why I propose passing these parameters using pipes.  Instead of
>> reading its environment, a script could read its parameters from stdin. 
>> If we don't do something like this I don't know how hald would pass a
>> passphrase to methods.d/Crypto/Sesame/Setup safely.

> Right, OK, I hear you, we should think of something here. Using a pipe
> to extract arguments seems like a good idea; I'll factor that in as
> another possibility when specifying the mapping from interfaces/methods
> to binaries, including how to pass the arguments (environment,
> positional parameters, pipe or a combination) (might be specified as
> properties you can merge using a .fdi file; might be XML files - we'll
> see).

I have a prototype "Setup" script written in bash that should allow us
to discuss this portion further.  Before I present the script, here is
the cryptheader I used:


# Required fields
version               = '0'
uuid                  = '0123-4567-89ab-cdef'
block_key_cipher      = 'aes'
block_key_sha1        = '920f002e08b3d4ff3882a8be98889af2d60b76a9'

# Required if block key is here
enc_key_cipher        = 'aes'
enc_key               = '53616c7465645f5f1e2a1d6798d8eb7aa3b74645d3e12138e7fa974bf06fa8cbfc0d82ec71f63ec9f38c1e0d624b0627a6ba85308ed2a3e0f288777f2c10fd35683ad952dff63603293459b98089b22c98294ff1a57a5b9ff0f74961388e0c6c2755c6b9b3d4a158a62a184df2a934066bb7793c4590096409cd9762979319cda4ead189b28176c62386013a6de4ef76d42396e668dadc9d641779e0a8db81cf'

And here is the script:


#   FILE: sesame-setup -- Configure a dm-crypt device based on information 
#         provided by hal.   A passphrase is read from stdin.
# AUTHOR: W. Michael Petullo <mike at>
#   DATE: 15 December 2004

# FIXME: this should be provided by hal when this script is executed.

# Read the required information from hal.
BLOCK_KEY_CIPHER=`hal-get-property --udi="$UDI" --key volume.crypto_sesame.block_key_cipher`
BLOCK_KEY_SHA1=`hal-get-property --udi="$UDI" --key volume.crypto_sesame.block_key_sha1`
UUID=`hal-get-property --udi="$UDI" --key volume.crypto_sesame.uuid`
VERSION=`hal-get-property --udi="$UDI" --key volume.crypto_sesame.version`
DEVICE=`hal-get-property --udi="$UDI" --key block.device`

# FIXME: this should be published by hal -- a 128 bit key (as hex).
# for some reason hald is not providing this information.
# key was created with:
# dd if=/dev/urandom bs=1c count=128 | openssl enc -aes-256-ecb | xxd -p
# passphrase is "sesame" (see PASSPHRASE defined above)

# Decrypt the key using the passphrase.
# FIXME: uh oh, how do I pass both passphrase and data to openssl?
KEY=`echo "$ENC_KEY" | xxd -r -p | openssl enc -d -aes-256-ecb -pass "pass:$PASSPHRASE"`

# Check to make sure hash of key matches that provided by hal.
if [ "$BLOCK_KEY_SHA1" != `echo $KEY | sha1sum | awk '{ print $1 }'` ]; then
	echo key sha1 hash does not match data provided by hal >&2
	exit 1

# Set up the dm-crypt device.
echo setting up $DEVICE using $BLOCK_KEY_CIPHER, default hash and 128 bit key
echo "$KEY" | cryptsetup -s 128 -c "$BLOCK_KEY_CIPHER" create "${UDI##*/}" "$DEVICE"


hal mailing list
hal at

More information about the Hal mailing list