Your message dated Mon, 20 Jul 2009 02:35:08 +0200
with message-id <[email protected]>
and subject line requested features have been added with passdev keyscript 
(2:1.0.6-2)
has caused the Debian Bug report #471727,
regarding cryptsetup: out-of-the-box support for using an USB stick as a key
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
471727: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471727
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cryptsetup
Version: 2:1.0.6~pre1+svn45-1
Severity: wishlist


I'd like to be able to use a small USB stick as a physical "key" to my
system. There are various mini-HOWTOs and keyscripts floating around
that describe people's custom implementations of this but I think
having this as a supported feature in Debian would be better than a
bunch of custom solutions.

The following functionality would be needed:

1) A small tool that prepares an USB stick (or other removable media)
to be used as the "key". There's of course various ways to put the key
onto the media, at the moment I'm favouring

- wipe the stick using badblocks -w -t random or dd if=/dev/urandom
- make a filesystem on the stick, possibly on a partition if it is
  customary to partition them. This would probably be VFAT. The
  partition / filesystem should be *slightly smaller* than the media,
  leaving a few bytes of space, probably at the end.
- put an UUID / magic number at the start of the free space 
- create the key(s) by dd-ing it / them directly from /dev/random to the free
  space on the media at intervals.
- add this key as a luks key.

2) A keyscript that looks for the UUID / magic number on candidate
media and reads the appropriate key. The key field in /etc/crypttab
that's passed as the parameter would be of the form 'UUID:keynumber'.

The keyscript should fallback to passphrase input on console when the
correct key is not found. That adds a safety net for lost USB key IF
you have a passphrase key defined as well.

I realize this scheme is rather elaborate, I'd settle for a documented
and shipped-by-default keyscript that can mount partitions by
(filesystem) UUID and read the key from there.  


Regards,

C.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages cryptsetup depends on:
ii  dmsetup                      2:1.02.24-3 The Linux Kernel Device Mapper use
ii  libc6                        2.7-6       GNU C Library: Shared libraries
ii  libdevmapper1.02.1           2:1.02.24-3 The Linux Kernel Device Mapper use
ii  libpopt0                     1.10-3      lib for parsing cmdline parameters
ii  libuuid1                     1.40.6-1    universally unique id library

cryptsetup recommends no packages.

-- no debconf information



--- End Message ---
--- Begin Message ---
Source: cryptsetup
Source-Version: 2:1.0.6-2

Hello,

The features that had been requested in the bugreport were added to the
cryptsetup package with the inclusion of the passdev keyscript.

greetings,
 jonas


--- End Message ---

Reply via email to