[openFATE 302628] Access to encrypted devices/partitons by dongle
Feature changed by: Ludwig Nussel (lnussel) Feature #302628, revision 53 Title: Access to encrypted devices/partitons by dongle openSUSE-11.0: Rejected by Stephan Kulow (coolo) reject date: 2008-03-31 10:53:14 reject reason: too late - and still lacking a real concept behind the full story. Priority Requester: Desirable openSUSE-11.1: Rejected by Stephan Kulow (coolo) reject date: 2008-08-07 16:27:08 reject reason: out of resources. Priority Requester: Desirable - openSUSE-11.2: Candidate + openSUSE-11.2: Done Priority Requester: Desirable Projectmanager: Desirable Requested by: Stefan Fent (sfent) Description: Think of the following scenario: You store your files on an encrypted partition and if you want to access them you just insert your USB stick, flash card or whatever and gain access to your files. Another thought would be to encrypt the whole system and the only possibilty to access it is via dongle. Relations: - FATE#301352: Filesystem encryption using Smartcard certificate (feature/id: 301352) Discussion: #1: Gerald Pfeifer (geraldpfeifer) (2007-10-05 23:04:19) Michele (desktop) / Matthias (storage) what do you think about this? #2: Michael Löffler (michl19) (2008-01-02 18:27:26) Nice to have but I miss a business case. #3: Stephan Kulow (coolo) (2008-01-07 14:42:28) (reply to #2) the business case of such a feature only works if you have a company to sell those dongle sticks I'd say. And those dongle vendors prefer custom boot loaders from those I know. So I don't think a solution with a stick that can be easily copied by dd is preferrable and I would rather reject this. #4: Guy Lunardi (glunardi) (2008-01-18 19:46:42) It's my understanding that Chris' work would allow for this to happen. This would be very neat indeed, we have discussed this with several customers who expressed interest. Using a simple USB key would be one inexpensive way to make this work. One alternative that a customer asked was to have the ability to unlock the data using certificates strored within a smart card. #7: Stephan Kulow (coolo) (2008-06-27 11:23:16) (reply to #4) Chris work? I fail to see the context. #9: Guy Lunardi (glunardi) (2008-07-02 15:27:37) (reply to #7) I do believe that Chris' work would be good for us to leverage however I do not know the details and could be wrong since it has been a few months now since we last talked about this. Chris, would you be able to assist me with provide insights on ways we could address this? #11: Chris Rivera (chrismrivera) (2008-07-06 23:52:49) (reply to #9) If you setup an encrypted home directory with cryptconfig it defaults to creating an encrypted container and a key file. The key file can reside anywhere, including removable media. If you use removable media you need to setup an fstab entry using the device label or device UUID to ensure that the dongle gets mounted automatically and the key file is in the right location. #12: Stephan Kulow (coolo) (2008-08-07 16:26:44) (reply to #11) ok, just talked about with Chris about this feature. We have no resources for yast work any more and the work required seem to be this: "so it would just mean moving the .key file to the media, changing the . key file location in pam_mount.conf, and adding an fstab entry" (quoting Chris). So this would be either put in a README or we wait for SPx. #13: Stephan Kulow (coolo) (2009-03-04 11:39:07) (reply to #12) any objection against opening this to openSUSE.org? #14: Marcus Meissner (msmeissn) (2009-03-04 11:40:59) (reply to #13) no, done #5: Stephan Kulow (coolo) (2008-03-31 10:52:41) I still have no clear picture of what cryptfs setups we're going to support - there are various fate entries about it: e,g, 302981 and 301352. So I would like PM to sort this out - and I personally think it's too late for 11.0. #6: Matthias Eckermann (mge1512) (2008-04-01 01:35:14) In an ideal world we would support: * TPM (incl. fingerprint readers etc.) * Smart Cards * simple devices with key on (USB sticks, memory cards) * passphrase (as today) * (optional) integration with a directory (LDAP, eDirectory, ...) #15: Mario Goppold (mgoppold) (2009-03-29 22:26:03) Hi, because I just need to unlook my root partition via USB stick I have build an rpm for it: http://download.opensuse.org/repositories/home:/mgoppold/openSUSE_11.1/x86_6... _SVNr46_luks_key-64.1.x86_64.rpm The main changes are in /lib/mkinitrd/scripts/{setup,boot}-luks.sh and the new /etc/sysconfig/initrd.luks_key. The LUKS-Keyfile should on an Labled or UUIDed USB-Stick. You can unlook all partitions with a master key or define a separate for every luks_device. The approach is certainly not the best but there is no keyscript in /etc/crypttab jet (why not?). #16: Ludwig Nussel (lnussel) (2009-03-30 09:13:46) (reply to #15) mind creating a patch against http://git.opensuse.org/?p=projects/boot.crypto.git;a=summary so I can have a look? I'm not really fond of supporting the keyscript option but since debian now uses that askpass program that I like to integrate we'd basically get keyscript support for free at least wrt boot.crypto. For YaST it would be between hard and impossible to support as one can never know what the keyscript does. #17: Mario Goppold (mgoppold) (2009-03-30 22:14:47) (reply to #16) Have a look at #18: Mario Goppold (mgoppold) (2009-04-01 20:59:06) (reply to #16) I have made some little updates: * There is no need to add /dev/mapper/swap and /dev/mapper/what_else to setup-storage.sh. or /boot/grub/menu.lst * If the key-File is not within the luks-Container there is now a prompt fallback. * I added ext3 and jbd modules to have the Key on ext3 formatted USB- Sticks The new version is Build 77 (http://download.opensuse.org/repositories/home:/mgoppold/openSUSE_11.1/x86_6...) #19: Marcus Meissner (msmeissn) (2009-06-24 15:12:33) (reply to #18) Mario, It would really help us if you could provide a patch against the current git state. The patch does not aspply to current :( (Ludwig is not in the office this and next week, will get back in 2 weeks.) #20: Mario Goppold (mgoppold) (2009-08-11 09:38:09) (reply to #19) The new patch against the boot.crypto- 2acb4efc564ca9af8e97162110987289f1206f11.tar.gz from 13.07.2009 is done. You can find it in my OBS: #21: Mario Goppold (mgoppold) (2009-08-11 17:42:20) (reply to #20) Now, it builds on Factory too. #22: Matthias Nagorni (mnagorni) (2009-08-21 13:37:03) (reply to #21) Certainly a nice feature and as I understand it is close to ready. Since I like the innovation and do agree that crypto FS features and the corresponding indentity issues are highly important, I set to "Important". If I had a real business case I would even consider "Mandatory". #24: Stephan Kulow (coolo) (2009-09-03 10:49:40) (reply to #22) Marcus is on vacation this week, so I talked to Ludwig and the feature as it is makes it _possible_ to implement your own keyscript (see #16). This does not make it enterprise ready at all as it's not supported at all by the system beyond that. So please reject for SP1. Perhaps we get a matured version for SLE12. #23: Marcus Meissner (msmeissn) (2009-08-25 11:02:43) (reply to #21) Ludwig, can we proceed? #25: Ludwig Nussel (lnussel) (2009-09-04 12:37:22) I've submitted boot.crypto with support for a debian compatible keyscript option to Factory. passdev.c from debian or an equivalent still needs to be packaged. #26: Marcus Meissner (msmeissn) (2010-01-15 16:21:20) (reply to #25) can we mark it done? + #27: Ludwig Nussel (lnussel) (2010-01-15 16:33:17) (reply to #26) + yes, marking as done. There is no and never will be an option in yast + to configure it. Neither do we have a ready made script. The boot. + crypto infrastructure supports ne necessary hooks for anyone to write + custom unlock methods though. -- openSUSE Feature: https://features.opensuse.org/302628
participants (1)
-
fate_noreply@suse.de