Re: FSFE Fellower Card + LUKS on Startup
I think it is not a problem to decrypt the key file in the startup process, isn't it!? Is it possible to access the card reader (omnikey 4040) and the smartcard via gpg from the initrd ram disk? Has anyone ever tried it in a similar way or are there any alternatives? Finally, is there a HowTo? I hacked this together on Debian squeeze. It might need a little work to get it working under another distribution. But I did not use LUKS; LUKS is based on passwords and I use the asymmetric crypto of the OpenPGP card, so I figured it made more sense to literally store the encryption key in a file encrypted to the card. I use the cryptsetup package for this (which also handles the LUKS drives, by the way). The basic idea is to include the gpg binary and its libraries, especially libusb-0.1.so.4. The libraries are handled automatically by initramfs-tools, and most, if not all except for libusb, of the libraries are already in the default initramfs. The biggest problem is that gnupg opens /dev/tty and this is not available in the initramfs. This might actually be a bug in initramfs-tools, I'm not sure. To hack a fix, I changed gnupg to open /dev/console instead. This is a hack that will only work in a very limited number of cases, so the binary I create this way is special-purpose for the initramfs. See the diff[1] below. I then use the debian build programs to build a .deb, and from that .deb extract /usr/bin/gpg. I move that binary to /usr/local/lib/cryptsetup/gpg-console (note that gpg-console is the name of the binary, not a directory). There are obviously different ways of compiling. I was just hacking something together and the default Debian binary was fine except for the /dev/tty thing, so I chose to build it the same way as the normal Debian binary, without even looking at other ways like a simple make. The cryptsetup package uses entries in /etc/crypttab for the encrypted partitions. I use something like the following entry: root_crypt /dev/mapper/vg1-root /etc/gpgcryptroot/root.gpg cipher=aes-cbc-essiv:sha256,size=128,hash=plain, keyscript=/etc/gpgcryptroot/decrypt_gpg This should be one line. vg1-root is the LVM logical volume root in volume group vg1. Next are the scripts for including and using gnupg in the initramfs. They are highly initramfs-tools specific. Secondly, they are a little big to include in this mail, so I uploaded them to [2]. This also includes the diff mentioned before. The actual decryption is done by the script /etc/gpgcryptroot/decrypt_gpg. It does a crude check to see if it is running in the initramfs. If it is not, it takes a different approach more suitable for activating partitions from a fully running system instead of the initramfs. I'll come back to that later. The script expects a directory with at least the following files: pubring.gpg A limited public-key ring, containing only the needed key that is on the smartcard. secring.gpg The limited secret-key ring, again only the needed smartcard key. root.gpg They key to unlock the root. The name is irrelevant (but needs to match the /etc/crypttab entry). It is just the literal key material cryptsetup expects; 16 bytes for AES-128 as above. Optionally a gpg.conf could be placed there if it is necessary for gpg to function correctly. I placed these files at /etc/gpgcryptroot, together with the script. Please mind the access permissions on the files and the directory; gpg expects them to be secure and complains otherwise. The decrypt_gpg script invokes the special-purpose gpg binary, and it asks for the PIN of the smartcard. The contents of the decrypted key file are passed to cryptsetup. The final script glues together the other components with the initramfs. I derived it from /usr/share/initramfs-tools/hooks/cryptopensc from the cryptsetup package. It should be placed at /etc/initramfs-tools/hooks/cryptgpg. The /etc/crypttab entry indicates where the files pubring.gpg, secring.gpg, root.gpg and optionally gpg.conf are, and the script copies them to the initramfs. It also copies the /usr/local/lib/cryptsetup/gpg-console binaries and its libraries to the initramfs. A few final words on which partitions (mount points) can be encrypted with this hacked-together scheme. The root is the obvious target and the only one that is somewhat tested. /boot can not be encrypted. This is a fundamental limitation; unless the BIOS or boot loader can do the decryption, you will always need something unencrypted to start from. /usr, as a separate partition, can also not be encrypted without further tweaks, because the script works either in the initramfs, or in a system with /usr/bin and possibly more already mounted. For the system I use it on, everything is in one partition. It's not my normal workstation but a protected environment to do my super secret stuff in ;). The part of the script that does acces to encrypted partitions in a fully booted system expects gpg to be able to decrypt the file succesfully with
Re: FSFE Fellower Card + LUKS on Startup
Sorry, I have sent this message only one time. I have no idea why this happend! :-( Am Mittwoch, 4. November 2009 13:10:52 schrieb gerry_lowry (alliston ontario canada (705) 250-0112): David . you are sending this over and over and over . I have this message 21 times. What's going on? Please stop. One copy is enough ... if someone has time to answer your question, they will. Thank you. - Original Message - From: David Lais sn...@snope.org To: Sent: Tuesday, November 03, 2009 2:17 PM Subject: FSFE Fellower Card + LUKS on Startup Hi GnuPG-Users, I have been testing the FSFE GnuPG smartcard in the past few days and I find it really cool! However, I have some more questions regarding the card. I have encrypted all of my linux partitions with LUKS and it works really great. Next, I would like to integrate the GnuPG card into the boot process in order to encrypt or to provide the key file. I found a Howto in the ubuntu wiki: https://wiki.ubuntu.com/SmartCardLUKSDiskEncryption. However, in this HowTo, they use a MultiFlex Smartcard and load the key file on the card. In the startup process, the keyfile is read out and sent to LUKS. This step is really simple but how can this work with the gnupg smartcard? I think it is not a problem to decrypt the key file in the startup process, isn't it!? Is it possible to access the card reader (omnikey 4040) and the smartcard via gpg from the initrd ram disk? Has anyone ever tried it in a similar way or are there any alternatives? Finally, is there a HowTo? I would be very happy for any kind of information. Thanks, David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FSFE Fellower Card + LUKS on Startup
David . you are sending this over and over and over . I have this message 21 times. What's going on? Please stop. One copy is enough ... if someone has time to answer your question, they will. Thank you. - Original Message - From: David Lais sn...@snope.org To: Sent: Tuesday, November 03, 2009 2:17 PM Subject: FSFE Fellower Card + LUKS on Startup Hi GnuPG-Users, I have been testing the FSFE GnuPG smartcard in the past few days and I find it really cool! However, I have some more questions regarding the card. I have encrypted all of my linux partitions with LUKS and it works really great. Next, I would like to integrate the GnuPG card into the boot process in order to encrypt or to provide the key file. I found a Howto in the ubuntu wiki: https://wiki.ubuntu.com/SmartCardLUKSDiskEncryption. However, in this HowTo, they use a MultiFlex Smartcard and load the key file on the card. In the startup process, the keyfile is read out and sent to LUKS. This step is really simple but how can this work with the gnupg smartcard? I think it is not a problem to decrypt the key file in the startup process, isn't it!? Is it possible to access the card reader (omnikey 4040) and the smartcard via gpg from the initrd ram disk? Has anyone ever tried it in a similar way or are there any alternatives? Finally, is there a HowTo? I would be very happy for any kind of information. Thanks, David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FSFE Fellower Card + LUKS on Startup
On Wed, 4 Nov 2009 07:10:52 -0500 gerry_lowry \(alliston ontario canada \(705\) 250-0112\) gerry.lo...@abilitybusinesscomputerservices.com wrote: Hello gerry_lowry, David . you are sending this over and over and over . I have this message 21 times. I only got one copy here. Maybe a server somewhere between the ML server and your inbox snafu'd. -- Regards _ / ) The blindingly obvious is / _)radnever immediately apparent Well you tried it just the once and found it alright for kicks Orgasm Addict - Buzzcocks signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FSFE Fellower Card + LUKS on Startup
gerry_lowry (alliston ontario canada (705) 250-0112) wrote: David . you are sending this over and over and over . I have this message 21 times. What's going on? Please stop. One copy is enough ... if someone has time to answer your question, they will. It is likely not his fault. The last two times this has happened it's been because the GnuPG mailing list's server has run out of disk space. The server gets wedged and begins to act out in this particular way. Let's all take a deep breath, back off, and wait for word from Werner about what happened. And let's especially not dogpile on the newcomer: that's not a very nice thing to do. The last time the mailing list got wedged like this, I was the one who wrote the email that got sent out dozens of times. You'd be appalled at how many rude, profane and offensive messages I received from people telling me to stop spamming the list. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FSFE Fellower Card + LUKS on Startup
I do hope I was not perceived as being rude. I was not intending to be rude. Robert J. Hansen wrote in part: . You'd be appalled at how many rude, profane and offensive messages I received from people telling me to stop spamming the list. Yes, appalled but not surprised. Given the stress level of most of us, I'm not surprised that some people sometimes react in unkind ways. Thank you, Robert, for reminding us to be patient and understanding. Gerry Free Appointment Reminders: https://www.apprem.com Resume: http://gerrylowryprogrammer.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FSFE Fellower Card + LUKS on Startup
On Wed, 4 Nov 2009 15:28, r...@sixdemonbag.org said: It is likely not his fault. The last two times this has happened it's been because the GnuPG mailing list's server has run out of disk space. Exactly. The server gets wedged and begins to act out in this particular way. Mailman figures that it was not able to sent a message and retries it every hour. If Exim does not need to spool it, it sends it out to some sites but returns an error and Mailman does not know which messages have been delivered. Mailman then restarts from scratch the next hour. The deeper cause of this problem is that this Mailman does not log to the same partition as Exim and thus is not affexted by the disk full error. Right, I should do something about it. Unfortunately it always happens over the weekend or in the night. No 24/7 service for gnupg.org. Sorry, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FSFE Fellower Card + LUKS on Startup
On Tue, 3 Nov 2009 20:17, sn...@snope.org said: wiki: https://wiki.ubuntu.com/SmartCardLUKSDiskEncryption. However, in this HowTo, they use a MultiFlex Smartcard and load the key file on the card. In the startup process, the keyfile is read out and sent to LUKS. This step is really simple but how can this work with the gnupg smartcard? Our card has 4 simple PIN protected data fields which can be used for that. I think it is not fully documented how to access them. Here are some hints: If all 4 private DOs are set and you start gpg --card-edit, you will see Private DO 1 .: This is private DO 1 Private DO 2 .: This is private DO 2 After entering the command verify, entering your PIN followed by list you get: Private DO 1 .: This is private DO 1 Private DO 2 .: This is private DO 2 Private DO 3 .: This is private DO 3 After entering the command admin verify, entering your Admin PIN followed by list you get: Private DO 1 .: This is private DO 1 Private DO 2 .: This is private DO 2 Private DO 3 .: This is private DO 3 Private DO 4 .: This is private DO 4 Thus you can see that DO 1 and 2 are always readable; thus not usable for your application. DO3 is readabale after presenting the PIN and DO4 is reaabale after resentng the Admin PIN. Now let us change a DO: Command privatedo 1 Private DO data: Changed DO 1 You had to enter your PIN for that to work. With DO2 you need the Admin pin. Same goes for DO3 (PIN) and DO4 (Admin PIN). Thus for your application I suggest to use DO3. You may store up to 254 bytes there (some cards evenmore). You may also read data in from a file: Command privatedo 1 FILE To read this out and ask for a passphrase you need to write some code which runs gpg --command-fd N --with-colons --status-fd M --edit-card. An easier way to do this is to use gpg-agent or just scdaemon: $ gpg-connect-agent scd getattr PRIVATE-DO-1 S PRIVATE-DO-1 Changed+DO+1 OK If you would have asked for DO3 the Pinentry would have popped up and asked you for the PIN. With scdaemon you leave out the scd but you must be prepared to return the PIN on request (as reply to an INQUIRY line). I think it is not a problem to decrypt the key file in the startup process, isn't it!? Is it possible to access the card reader (omnikey 4040) and the smartcard via gpg from the initrd ram disk? Has anyone ever tried it in a I have not experience with initrd. Another option would be to wait a while and use the new g13 tool which is part of the new development branch of GnuPG. It is fully integrated into GnuPG and provides a platform independent replacement for LUKS. For now only Encfs is supported but the system is designed to support all kinds of backends (Even one on top of LUKS is possible). The advantage of G13 is that you use real public key cryptography and thus your actual private key never leaves the card - it is only used to encrypt the bulk encryption key(s). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
FSFE Fellower Card + LUKS on Startup
Hi GnuPG-Users, I have been testing the FSFE GnuPG smartcard in the past few days and I find it really cool! However, I have some more questions regarding the card. I have encrypted all of my linux partitions with LUKS and it works really great. Next, I would like to integrate the GnuPG card into the boot process in order to encrypt or to provide the key file. I found a Howto in the ubuntu wiki: https://wiki.ubuntu.com/SmartCardLUKSDiskEncryption. However, in this HowTo, they use a MultiFlex Smartcard and load the key file on the card. In the startup process, the keyfile is read out and sent to LUKS. This step is really simple but how can this work with the gnupg smartcard? I think it is not a problem to decrypt the key file in the startup process, isn't it!? Is it possible to access the card reader (omnikey 4040) and the smartcard via gpg from the initrd ram disk? Has anyone ever tried it in a similar way or are there any alternatives? Finally, is there a HowTo? I would be very happy for any kind of information. Thanks, David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users