Home_greyopenFATE - openSUSE feature tracking > #302628
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

Access to encrypted devices/partitons by dongle

Feature state

openSUSE-11.0
Rejected Information
openSUSE-11.1
Rejected Information
openSUSE-11.2
Done

Description

Think of the following scenario: You store your files on an encrypted partition and if you want to access them you just insert your USB stick, flash card or whatever and gain access to your files. Another thought would be to encrypt the whole system and the only possibilty to access it is via dongle.

Relations

Discussion


icons/user_comment.png G. P. wrote: (10 years ago)

Michele (desktop) / Matthias (storage) what do you think about this?

icons/user_comment.png M. L. wrote: (10 years ago)

Nice to have but I miss a business case.

icons/user_comment.png S. K. wrote: (10 years ago)

the business case of such a feature only works if you have a company to sell those dongle sticks I'd say. And those dongle vendors prefer custom boot loaders from those I know. So I don't think a solution with a stick that can be easily copied by dd is preferrable and I would rather reject this.

icons/user_comment.png G. L. wrote: (10 years ago)

It's my understanding that Chris' work would allow for this to happen.

This would be very neat indeed, we have discussed this with several customers who expressed interest. Using a simple USB key would be one inexpensive way to make this work.

One alternative that a customer asked was to have the ability to unlock the data using certificates strored within a smart card.

icons/user_comment.png S. K. wrote: (9 years ago)

Chris work? I fail to see the context.

icons/user_comment.png G. L. wrote: (9 years ago)

I do believe that Chris' work would be good for us to leverage however I do not know the details and could be wrong since it has been a few months now since we last talked about this.
Chris, would you be able to assist me with provide insights on ways we could address this?

icons/user_comment.png C. R. wrote: (9 years ago)

If you setup an encrypted home directory with cryptconfig it defaults to creating an encrypted container and a key file. The key file can reside anywhere, including removable media. If you use removable media you need to setup an fstab entry using the device label or device UUID to ensure that the dongle gets mounted automatically and the key file is in the right location.

icons/user_comment.png S. K. wrote: (9 years ago)

ok, just talked about with Chris about this feature. We have no resources for yast work any more and the work required seem to be this:

"so it would just mean moving the .key file to the media, changing the .key file location in pam_mount.conf, and adding an fstab entry" (quoting Chris). So this would be either put in a README or we wait for SPx.

icons/user_comment.png S. K. wrote: (9 years ago)

any objection against opening this to openSUSE.org?

icons/user_comment.png M. M. wrote: (9 years ago)

no, done

icons/user_comment.png S. K. wrote: (10 years ago)

I still have no clear picture of what cryptfs setups we're going to support - there are various fate entries about it: e,g, 302981 and 301352. So I would like PM to sort this out - and I personally think it's too late for 11.0.

icons/user_comment.png M. E. wrote: (10 years ago)

In an ideal world we would support:

  • TPM (incl. fingerprint readers etc.)
  • Smart Cards
  • simple devices with key on (USB sticks, memory cards)
  • passphrase (as today)
  • (optional) integration with a directory (LDAP, eDirectory, ...)
icons/user_comment.png M. G. wrote: (9 years ago)

Hi,

because I just need to unlook my root partition via USB stick I have build an rpm for it:
http://download.opensuse.org/repositories/home:/mgoppold/openSUSE_11.1/x86_64/cryptsetup-1.0.5_SVNr46_luks_key-64.1.x86_64.rpm
The main changes are in
/lib/mkinitrd/scripts/{setup,boot}-luks.sh and the new /etc/sysconfig/initrd.luks_key.
The LUKS-Keyfile should on an Labled or UUIDed USB-Stick. You can unlook all partitions with a master key or define a separate for every luks_device.
The approach is certainly not the best but there is no keyscript in /etc/crypttab jet (why not?).

icons/user_comment.png L. N. wrote: (9 years ago)

mind creating a patch against
http://git.opensuse.org/?p=projects/boot.crypto.git;a=summary
so I can have a look?
I'm not really fond of supporting the keyscript option but since debian now uses that askpass program that I like to integrate we'd basically get keyscript support for free at least wrt boot.crypto. For YaST it would be between hard and impossible to support as one can never know what the keyscript does.

icons/user_comment.png M. G. wrote: (9 years ago)

Have a look at

icons/user_comment.png M. G. wrote: (9 years ago)

I have made some little updates:

  • There is no need to add /dev/mapper/swap and /dev/mapper/what_else to setup-storage.sh. or /boot/grub/menu.lst
  • If the key-File is not within the luks-Container there is now a prompt fallback.
  • I added ext3 and jbd modules to have the Key on ext3 formatted USB-Sticks

The new version is Build
77

icons/user_comment.png M. M. wrote: (8 years ago)

Mario, It would really help us if you could provide a patch against the current git state.

The patch does not aspply to current :(

(Ludwig is not in the office this and next week, will get back in 2 weeks.)

icons/user_comment.png M. G. wrote: (8 years ago)

The new patch against the boot.crypto-2acb4efc564ca9af8e97162110987289f1206f11.tar.gz from 13.07.2009 is done. You can find it in my OBS:

icons/user_comment.png M. G. wrote: (8 years ago)

Now, it builds on Factory too.

icons/user_comment.png M. N. wrote: (8 years ago)

Certainly a nice feature and as I understand it is close to ready. Since I like the innovation and do agree that crypto FS features and the corresponding indentity issues are highly important, I set to "Important". If I had a real business case I would even consider "Mandatory".

icons/user_comment.png S. K. wrote: (8 years ago)

Marcus is on vacation this week, so I talked to Ludwig and the feature as it is makes it _possible_ to implement your own keyscript (see #16). This does not make it enterprise ready at all as it's not supported at all by the system beyond that. So please reject for SP1. Perhaps we get a matured version for SLE12.

icons/user_comment.png M. M. wrote: (8 years ago)

Ludwig, can we proceed?

icons/user_comment.png L. N. wrote: (8 years ago)

I've submitted boot.crypto with support for a debian compatible keyscript option to Factory. passdev.c from debian or an equivalent still needs to be packaged.

icons/user_comment.png M. M. wrote: (8 years ago)

can we mark it done?

icons/user_comment.png L. N. wrote: (8 years ago)

yes, marking as done. There is no and never will be an option in yast to configure it. Neither do we have a ready made script. The boot.crypto infrastructure supports ne necessary hooks for anyone to write custom unlock methods though.

Last change: 8 years ago
Voting
Score: 8
  • Negative: 0
  • Neutral: 1
  • Positive: 8
Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint