Mailinglist Archive: opensuse-features (202 mails)

< Previous Next >
[openFATE 302628] Access to encrypted devices/partitons by dongle
  • From: fate_noreply@xxxxxxx
  • Date: Wed, 1 Apr 2009 20:59:38 +0200 (CEST)
  • Message-id: <feature-302628-32@xxxxxxxxxxxxxx>
Feature changed by: Mario Goppold (mgoppold)
Feature #302628, revision 32
Title: Access to encrypted devices/partitons by dongle

openSUSE-11.0: Rejected by Stephan Kulow (coolo)
reject date: 2008-03-31 10:53:14
reject reason: too late - and still lacking a real concept behind the
full story.
Requester: Desirable

openSUSE-11.1: Rejected by Stephan Kulow (coolo)
reject date: 2008-08-07 16:27:08
reject reason: out of resources.
Requester: Desirable

openSUSE-11.2: Evaluation
Requester: Desirable

Requested by: Stefan Fent (sfent)

Think of the following scenario: You store your files on an encrypted
partition and if you want to access them you just insert your USB
stick, flash card or whatever and gain access to your files. Another
thought would be to encrypt the whole system and the only possibilty to
access it is via dongle.

- FATE#301352: Filesystem encryption using Smartcard certificate
(feature/id: 301352)

#1: Gerald Pfeifer (geraldpfeifer) (2007-10-05 23:04:19)
Michele (desktop) / Matthias (storage) what do you think about this?

#2: Michael Löffler (michl19) (2008-01-02 18:27:26)
Nice to have but I miss a business case.

#3: Stephan Kulow (coolo) (2008-01-07 14:42:28) (reply to #2)
the business case of such a feature only works if you have a company to
sell those dongle sticks I'd say. And those dongle vendors prefer
custom boot loaders from those I know. So I don't think a solution with
a stick that can be easily copied by dd is preferrable and I would
rather reject this.

#4: Guy Lunardi (glunardi) (2008-01-18 19:46:42)
It's my understanding that Chris' work would allow for this to happen.
This would be very neat indeed, we have discussed this with several
customers who expressed interest. Using a simple USB key would be one
inexpensive way to make this work.
One alternative that a customer asked was to have the ability to unlock
the data using certificates strored within a smart card.

#7: Stephan Kulow (coolo) (2008-06-27 11:23:16) (reply to #4)
Chris work? I fail to see the context.

#9: Guy Lunardi (glunardi) (2008-07-02 15:27:37) (reply to #7)
I do believe that Chris' work would be good for us to leverage however
I do not know the details and could be wrong since it has been a few
months now since we last talked about this. Chris, would you be able to
assist me with provide insights on ways we could address this?

#11: Chris Rivera (chrismrivera) (2008-07-06 23:52:49) (reply to #9)
If you setup an encrypted home directory with cryptconfig it defaults
to creating an encrypted container and a key file. The key file can
reside anywhere, including removable media. If you use removable media
you need to setup an fstab entry using the device label or device UUID
to ensure that the dongle gets mounted automatically and the key file
is in the right location.

#12: Stephan Kulow (coolo) (2008-08-07 16:26:44) (reply to #11)
ok, just talked about with Chris about this feature. We have no
resources for yast work any more and the work required seem to be this:
"so it would just mean moving the .key file to the media, changing the .
key file location in pam_mount.conf, and adding an fstab entry"
(quoting Chris). So this would be either put in a README or we wait for

#13: Stephan Kulow (coolo) (2009-03-04 11:39:07) (reply to #12)
any objection against opening this to

#14: Marcus Meissner (msmeissn) (2009-03-04 11:40:59) (reply to #13)
no, done

#5: Stephan Kulow (coolo) (2008-03-31 10:52:41)
I still have no clear picture of what cryptfs setups we're going to
support - there are various fate entries about it: e,g, 302981 and
301352. So I would like PM to sort this out - and I personally think
it's too late for 11.0.

#6: Matthias Eckermann (mge1512) (2008-04-01 01:35:14)
In an ideal world we would support:
* TPM (incl. fingerprint readers etc.)
* Smart Cards
* simple devices with key on (USB sticks, memory cards)
* passphrase (as today)
* (optional) integration with a directory (LDAP, eDirectory, ...)

#15: Mario Goppold (mgoppold) (2009-03-29 22:26:03)
Hi, because I just need to unlook my root partition via USB stick I
have build an rpm for it:
_SVNr46_luks_key-64.1.x86_64.rpm The main changes are in
/lib/mkinitrd/scripts/{setup,boot} and the new
/etc/sysconfig/initrd.luks_key. The LUKS-Keyfile should on an Labled or
UUIDed USB-Stick. You can unlook all partitions with a master key or
define a separate for every luks_device. The approach is certainly not
the best but there is no keyscript in /etc/crypttab jet (why not?).

#16: Ludwig Nussel (lnussel) (2009-03-30 09:13:46) (reply to #15)
mind creating a patch against;a=summary so I can
have a look? I'm not really fond of supporting the keyscript option but
since debian now uses that askpass program that I like to integrate
we'd basically get keyscript support for free at least wrt boot.crypto.
For YaST it would be between hard and impossible to support as one can
never know what the keyscript does.

#17: Mario Goppold (mgoppold) (2009-03-30 22:14:47) (reply to #16)
Have a look at boot.crypto-035e11e5c04eb03ca972baf135a12b869e758f91.
3Amgoppold) an the new rpm Build 73

+ #18: Mario Goppold (mgoppold) (2009-04-01 20:59:06) (reply to #16)
+ I have made some little updates:
+ * There is no need to add /dev/mapper/swap and /dev/mapper/what_else to
+ or /boot/grub/menu.lst
+ * If the key-File is not within the luks-Container there is now a
+ prompt fallback.
+ * I added ext3 and jbd modules to have the Key on ext3 formatted USB-
+ Sticks
+ The new version is Build 77

openSUSE Feature:

< Previous Next >
This Thread
  • No further messages