Your message dated Thu, 16 Mar 2006 16:32:09 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#350615: fixed in cryptsetup 2:1.0.2+1.0.3-rc3-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: cryptsetup
Version: 20050111-4
Severity: wishlist
In the attachment is a patch and a tool.
The patch include support to use encrypted ssl-key/s at the boot-up
process. The modificated initscript will them ask for a password and
decrypt it in a defined $PATH which is mounted as a tmpfs. If there are
more keys with the same encrypted password, the initscript want to ask
once. The other modification is from the /etc/init.d/lvm-common script.
It changes the usermod in /dev/mapper/<cdisks>.
The tool create a double encrypted key with 'openssl' for use with the
cryptsetup initscript.
--
Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Was nicht fliegen kann, kann auch nicht abstürzen.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff -ruN old/etc/default/cryptdisks new/etc/default/cryptdisks
--- old/etc/default/cryptdisks 2005-11-15 00:12:49.000000000 +0100
+++ new/etc/default/cryptdisks 2006-01-22 21:53:45.000000000 +0100
@@ -1,2 +1,21 @@
# Run cryptdisks at startup ?
CRYPTDISKS_ENABLE=Yes
+
+# Path where the keys are.
+SRCPATH=/etc/disk-keys
+
+# Path for the keys which are declared in /etc/crypttab.
+DSTPATH=/tmp
+
+# Keys to use
+#KEYS="backups.key home.key var.key"
+
+# The format of /dev/mapper/<device> is
+# MODE_<device>="<user>:<group> <mode>"
+#
+# eg:
+#
+# MODE_cswap="root:disk 660"
+#
+# Sets the protection of /dev/mapper/cswap to 0660 and makes it owned by user
+# "root" and group "disk".
diff -ruN old/etc/init.d/cryptdisks new/etc/init.d/cryptdisks
--- old/etc/init.d/cryptdisks 2005-11-15 00:12:49.000000000 +0100
+++ new/etc/init.d/cryptdisks 2006-01-30 18:51:59.000000000 +0100
@@ -12,6 +12,10 @@
# Default-Start: S
# Default-Stop: 0 6
### END INIT INFO
+#
+# Modified by Markus Nass <[EMAIL PROTECTED]>
+# to use double encrypted key/s by 'openssl'.
+#
CRYPTCMD=/sbin/cryptsetup
DEVMAPCMD=/sbin/dmsetup
@@ -32,8 +36,52 @@
$DEVMAPCMD mknodes
+decrypt() {
+ OLDUMASK=`umask`
+ umask 0077
+
+ for KEY in $KEYS; do
+ while ( ! openssl enc -aes256 -d -salt -in $SRCPATH/$KEY \
+ -out $DSTPATH/$KEY.tmp -k $PASSWORD > /dev/null 2>&1 );
do
+ echo -n "Password of '$SRCPATH/$KEY': "
+ read -s PASSWORD; echo
+
+ if [ "$PASSWORD" = "" ]; then
+ return 0
+ fi
+ done
+
+ while ( ! openssl dsa -in $DSTPATH/$KEY.tmp -out $DSTPATH/$KEY \
+ -passin pass:$PASSWORD > /dev/null 2>&1 ); do
+ echo -n "Password of '$DSTPATH/$KEY.tmp': "
+ read -s PASSWORD; echo
+
+ if [ "$PASSWORD" = "" ]; then
+ return 0
+ fi
+ done
+ done
+
+ rm -f $DSTPATH/*.key.tmp
+ PASSWORD=""
+ umask $OLDUMASK
+}
+
case "$1" in
start)
+ if [ ! "$KEYS" = "" ]; then
+ # Important to decrypt the disk-keys.
+ if [ "$(grep -c "\/usr" /etc/fstab)" = "1" ] && \
+ [ "$(grep -c "\/usr" /etc/mtab)" = "0" ]; then
+ mount /usr
+ touch /mounted
+ fi
+
+ mount -t tmpfs tmpfs $DSTPATH > /dev/null 2>&1
+
+ test -f /usr/bin/openssl && decrypt
+ fi
+
echo -n "Starting crypto disks:"
egrep -v "^[[:space:]]*(#|$)" $TABFILE | while read dst src key opt; do
echo -n " $dst"
@@ -161,6 +209,29 @@
fi
fi
done
+
+ for MODEVAR in ${!MODE_*}; do
+ eval MODE=\$$MODEVAR
+ DEV=${MODEVAR//_/-}
+ DEV="/dev/mapper/${DEV#MODE-}"
+ MOD=${MODE#* }
+ OWN=${MODE% *}
+ chmod $MOD $DEV
+ chown $OWN $DEV
+ done
+
+ for KEY in $KEYS; do
+ rm -f $DSTPATH/$KEY
+ done
+
+ umount -f $DSTPATH > /dev/null 2>&1
+
+ # Important to check and repair the file system.
+ if [ -f /mounted ]; then
+ umount -f /usr
+ rm -f /mounted
+ fi
+
echo "."
;;
stop)
createkey.gz
Description: Binary data
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: cryptsetup
Source-Version: 2:1.0.2+1.0.3-rc3-1
We believe that the bug you reported is fixed in the latest version of
cryptsetup, which is due to be installed in the Debian FTP archive:
cryptsetup_1.0.2+1.0.3-rc3-1.diff.gz
to pool/main/c/cryptsetup/cryptsetup_1.0.2+1.0.3-rc3-1.diff.gz
cryptsetup_1.0.2+1.0.3-rc3-1.dsc
to pool/main/c/cryptsetup/cryptsetup_1.0.2+1.0.3-rc3-1.dsc
cryptsetup_1.0.2+1.0.3-rc3-1_i386.deb
to pool/main/c/cryptsetup/cryptsetup_1.0.2+1.0.3-rc3-1_i386.deb
cryptsetup_1.0.2+1.0.3-rc3.orig.tar.gz
to pool/main/c/cryptsetup/cryptsetup_1.0.2+1.0.3-rc3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Meurer <[EMAIL PROTECTED]> (supplier of updated cryptsetup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 17 Mar 2006 00:42:41 +0100
Source: cryptsetup
Binary: cryptsetup
Architecture: source i386
Version: 2:1.0.2+1.0.3-rc3-1
Distribution: unstable
Urgency: low
Maintainer: Debian Cryptsetup Team <[EMAIL PROTECTED]>
Changed-By: Jonas Meurer <[EMAIL PROTECTED]>
Description:
cryptsetup - configures encrypted block devices
Closes: 258376 350615 353755 354910 355156 356288 356484
Changes:
cryptsetup (2:1.0.2+1.0.3-rc3-1) unstable; urgency=low
.
[ Jonas Meurer ]
* new upstream release candidate:
- fixes sector size of the temporary mapping (closes: #355156)
- more verbose error logging (closes: #353755, #356288, #258376)
- upstream accepted my patches to the manpage
* fixed spelling error in README.Debian
* removed debian/cryptsetup.sgml, outdated
* ran ispell against doc files in debian/, fixed many typos
* change /usr/share/cryptsetup to /lib/cryptsetup in crypttab.5.txt
(closes: #354910)
* add --build (and maybe even --host) to configure flags, for
cross-compiling
* remove debian/luksformat.8 in clean target
* fix bashism in cryptdisks. thanks to Michal Politowski
<[EMAIL PROTECTED]> (closes: #356484)
* add support for openssl encrypted keys, based on a patch by General Stone
<[EMAIL PROTECTED]> (closes: #350615)
* add some code to support gnupg encrypted keys, some parts are missing.
Files:
666fbc7bccc3d73f8966a9053f5cf765 828 admin optional
cryptsetup_1.0.2+1.0.3-rc3-1.dsc
a68c7bc8e96b7e0e9865dfabcfd76033 421895 admin optional
cryptsetup_1.0.2+1.0.3-rc3.orig.tar.gz
4311a7f03c611b292202352582043c16 26703 admin optional
cryptsetup_1.0.2+1.0.3-rc3-1.diff.gz
585f445fd5a6e539ed93337494b887f7 235288 admin optional
cryptsetup_1.0.2+1.0.3-rc3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEGfnmd6lUs+JfIQIRAoqWAJ9WjnqR8+CLDTjqAB7bxoKVmujwfACfW8lC
AFNvfITIHLpD/uWPw1jYfsM=
=RAM3
-----END PGP SIGNATURE-----
--- End Message ---
