dm-crypt feature
Werner Koch
wk at gnupg.org
Fri May 6 13:57:11 CEST 2016
On Fri, 6 May 2016 12:01, ag4ve.us at gmail.com said:
> * g13: Add experimental support for dm-crypt.
>
> So what is this? What can I do with it? What documentation is there?
Here is what Neal wrote in his blog entry from October:
Werner has been working on g13. g13 is part of the GnuPG suite of
tools. It provides support for working with DM-Crypt devices with
OpenPGP keys and takes advantage of the existing GnuPG infrastructure.
Currently, DM-Crypt is primarily used with LUKS. A LUKS encrypted
volume has a small header at the start of the volume, which includes
the master key encrypted with a passphrase. The passphrase is a weak
point of the system as it is often vulnerable to a brute-force attack.
A more secure approach is to encrypt the master key with a secret key
stored on a smart card. Further, it should be possible to use
existing keys. GnuPG, of course, has long had good support for
interacting with smartcards and working with OpenPGP keys.
I use it for my everyday work but we have no real documentation.
Suspend/remove technically works but there are a couple of problems and
non-implemented features. I have some things on my todo list, like the
ability to run scripts (e.g. to start/stop dovecot), adding new
encryption keys to the existing ones, making use of the extra copies of
the encrypted session keys in case of problems.
You need to create a file /etc/gnupg/g13tab which may look like this:
# g13tab - Mount definitions for g13
# <user> <blockdev> [<label>|"-" [<mountpoint>]]
wk /dev/sdb1 mail /home/wk/bar
joe partuuid=12345678-12
joe PARTUUID=f424242-48d2-5e1a-be09-def54312aaa1 - /mnt/foo
this allows user wk to mount /dev/sdb1 on /home/wk/bar and user joe to
mount the given disks. A helper tools invoked via userv(1)[1] is used for
the actual work then. For example you can do this
g13 --create /dev/sdb1
which turns an empty partition (you may need to use "dd if=/dev/zero" to
convince g13 that it is empty) into a g13 managed dm-crypt partition.
Currently you still need su(root) and run mkfs then. You should be
able to use the label ("mail" in the example) instead of the partition
name, but that has not yet been fully implemented.
g13 --mount /dev/sdb1
will mount that partition according to g13tab. --umount umounts of
course.
g13 --suspend /dev/sdb1
would then run the dm-crypt suspend hack, which removes the session key
and freezes the session. --resume reverts this by setting the session
key again using the private key which one should keep on a smartcard.
Suspend/resume requires a patch dmsetup(1) tool.
Shalom-Salam,
Werner
[1] You need this file /etc/userv/services.d/gnupg-g13-syshelp :
--8<---------------cut here---------------start------------->8---
if ( glob service-user root
)
reset
suppress-args
execute /usr/local/bin/g13-syshelp -v
else
error Nothing to do for this service-user
fi
quit
--8<---------------cut here---------------end--------------->8---
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list