[opensuse] decrypting LUKS partitions without passphrase
Hi all, I have my root, swap and home partitions encrypted with LUKS as described in http://en.opensuse.org/Encrypted_Root_File_System and it works great on openSUSE 10.3. When I fire up my computer, I have to enter three passphrases to decrypt the three partitions. This is of course unavoidable for the root partition but it should be possible to use keys stored on this partition to decrypt the swap and home partitions and thus to avoid entering two more passphrases. I tried to accomplish this for the swap partition by dd if=/dev/random of=/etc/keys/swap.key bs=1 count=256 cryptsetup luksAddKey /dev/sda6 /etc/keys/swap.key and then putting the follwing line in /etc/crypttab: swap /dev/sda6 /etc/keys/swap.key luks but at boot time, the systems keeps asking for three passphrases. Am I overlooking something? Regards, Paul. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday 03 May 2008 10.36:38, PaulFransen wrote:
Hi all,
I have my root, swap and home partitions encrypted with LUKS as described in http://en.opensuse.org/Encrypted_Root_File_System and it works great on openSUSE 10.3.
When I fire up my computer, I have to enter three passphrases to decrypt the three partitions. This is of course unavoidable for the root partition but it should be possible to use keys stored on this partition to decrypt the swap and home partitions and thus to avoid entering two more passphrases.
I tried to accomplish this for the swap partition by dd if=/dev/random of=/etc/keys/swap.key bs=1 count=256 cryptsetup luksAddKey /dev/sda6 /etc/keys/swap.key and then putting the follwing line in /etc/crypttab: swap /dev/sda6 /etc/keys/swap.key luks but at boot time, the systems keeps asking for three passphrases.
Am I overlooking something?
Regards,
Paul.
I had the same problem. Here's how I achieved the desired: http://lists.opensuse.org/opensuse/2008-04/msg02199.html regards Daniel -- Daniel Bauer photographer Basel Switzerland professional photography: http://www.daniel-bauer.com erotic art photos: http://www.bauer-nudes.com/en/linux.html Madagascar special: http://www.fotograf-basel.ch/madagascar/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday 03 May 2008 10:56:53 Daniel Bauer wrote:
On Saturday 03 May 2008 10.36:38, PaulFransen wrote:
Hi all,
I have my root, swap and home partitions encrypted with LUKS as described in http://en.opensuse.org/Encrypted_Root_File_System and it works great on openSUSE 10.3.
When I fire up my computer, I have to enter three passphrases to decrypt the three partitions. This is of course unavoidable for the root partition but it should be possible to use keys stored on this partition to decrypt the swap and home partitions and thus to avoid entering two more passphrases.
I tried to accomplish this for the swap partition by dd if=/dev/random of=/etc/keys/swap.key bs=1 count=256 cryptsetup luksAddKey /dev/sda6 /etc/keys/swap.key and then putting the follwing line in /etc/crypttab: swap /dev/sda6 /etc/keys/swap.key luks but at boot time, the systems keeps asking for three passphrases.
Am I overlooking something?
Regards,
Paul.
I had the same problem. Here's how I achieved the desired:
http://lists.opensuse.org/opensuse/2008-04/msg02199.html
regards
Daniel
Hi Daniel, I followed your description and it worked very well. For my company's documentation, I had to write a HOWTO which I am enclosing here. Best regards, Paul.
On Mon, May 12, 2008 at 12:37 AM, PaulFransen
Hi Daniel,
I followed your description and it worked very well. For my company's documentation, I had to write a HOWTO which I am enclosing here.
Best regards,
Paul.
Nicely done..... -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
PaulFransen wrote:
Hi all,
I have my root, swap and home partitions encrypted with LUKS as described in http://en.opensuse.org/Encrypted_Root_File_System and it works great on openSUSE 10.3.
When I fire up my computer, I have to enter three passphrases to decrypt the three partitions. This is of course unavoidable for the root partition but it should be possible to use keys stored on this partition to decrypt the swap and home partitions and thus to avoid entering two more passphrases.
I tried to accomplish this for the swap partition by dd if=/dev/random of=/etc/keys/swap.key bs=1 count=256 cryptsetup luksAddKey /dev/sda6 /etc/keys/swap.key and then putting the follwing line in /etc/crypttab: swap /dev/sda6 /etc/keys/swap.key luks but at boot time, the systems keeps asking for three passphrases.
Am I overlooking something?
Is there a specific reason you are encrypting swap?
Regards,
Paul.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-05-03 at 18:08 -0400, Sam Clemens wrote:
Is there a specific reason you are encrypting swap?
It is standard procedure. Think: your portable is hibernated and then stolen. Hint: The password to mounted encrypted partition is in clear text in memory, thus, in the swap. And any thing you may have opened. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD4DBQFIHPb2tTMYHG2NR9URAo7RAJ4w0YcErrILH94AszCi8LCs/fyoRACXTwNr llcPXNETaynhlrJzX26Dgw== =5F2W -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Saturday 2008-05-03 at 18:08 -0400, Sam Clemens wrote:
Is there a specific reason you are encrypting swap?
It is standard procedure.
Think: your portable is hibernated and then stolen.
Hint:
The password to mounted encrypted partition is in clear text in memory, thus, in the swap. And any thing you may have opened.
Hint.. if you're portable is hibernated, then when the thief restarts it, all of your partitions are already mounted with good passwords, and can be perused by merely doing $ strings /dev/kmem | more $ strings /dev/mem | more or alternatively $ for f in /proc/*/mem do strings $f | less done -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, May 3, 2008 at 6:56 PM, Sam Clemens
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Saturday 2008-05-03 at 18:08 -0400, Sam Clemens wrote:
Is there a specific reason you are encrypting swap?
It is standard procedure.
Think: your portable is hibernated and then stolen.
Hint:
The password to mounted encrypted partition is in clear text in memory, thus, in the swap. And any thing you may have opened.
Hint.. if you're portable is hibernated, then when the thief restarts it, all of your partitions are already mounted with good passwords, and can be perused by merely doing
$ strings /dev/kmem | more $ strings /dev/mem | more
Only if you are in a habit of hybernating your lap top while running as root. Who does that anyway? -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Sat, May 3, 2008 at 6:56 PM, Sam Clemens
wrote: Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Saturday 2008-05-03 at 18:08 -0400, Sam Clemens wrote:
Is there a specific reason you are encrypting swap?
It is standard procedure.
Think: your portable is hibernated and then stolen.
Hint:
The password to mounted encrypted partition is in clear text in memory, thus, in the swap. And any thing you may have opened.
Hint.. if you're portable is hibernated, then when the thief restarts it, all of your partitions are already mounted with good passwords, and can be perused by merely doing
$ strings /dev/kmem | more $ strings /dev/mem | more
Only if you are in a habit of hybernating your lap top while running as root. Who does that anyway?
Having physical access to the laptop, "local exploits" are no in play. Any "local exploit" can be accomplished by running code installed by a user into his/her home directory. Thus, getting root is not a terribly difficult thing for a reasonably knowledgeable attacker. And of course, the Firewire/IEEE 1394 port is completely unsecure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-05-03 at 21:56 -0400, Sam Clemens wrote:
Is there a specific reason you are encrypting swap?
It is standard procedure.
Think: your portable is hibernated and then stolen.
Hint:
The password to mounted encrypted partition is in clear text in memory, thus, in the swap. And any thing you may have opened.
Hint.. if you're portable is hibernated, then when the thief restarts it, all of your partitions are already mounted with good passwords, and can be perused by merely doing
No. Think again. That is what an "encrypted swap" avoids. You can not "unthaw" the computer without the password. The memory image is encrypted, so you can not look at it. Of course, you will be able to look at any partition that is not encrypted, be it mounted or not - which is why the procedure usually includes encrypting root. Only /boot has to remain un-encrypted. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIHY/gtTMYHG2NR9URAlOSAJ43X9suZ12U+du9QO/4irS7N/GRlQCdH0tX lYrX3E1S7E9+t0EV7Ckbhl4= =+Qlf -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Carlos E. R.
-
Daniel Bauer
-
John Andersen
-
PaulFransen
-
Sam Clemens