dm-crypt feature

Werner Koch wk at
Fri May 6 13:57:11 CEST 2016

On Fri,  6 May 2016 12:01, at said:

> * g13: Add experimental support for dm-crypt.
> So what is this? What can I do with it? What documentation is there?

Here is what Neal wrote in his blog entry from October:

  Werner has been working on g13.  g13 is part of the GnuPG suite of
  tools.  It provides support for working with DM-Crypt devices with
  OpenPGP keys and takes advantage of the existing GnuPG infrastructure.
  Currently, DM-Crypt is primarily used with LUKS.  A LUKS encrypted
  volume has a small header at the start of the volume, which includes
  the master key encrypted with a passphrase.  The passphrase is a weak
  point of the system as it is often vulnerable to a brute-force attack.
  A more secure approach is to encrypt the master key with a secret key
  stored on a smart card.  Further, it should be possible to use
  existing keys.  GnuPG, of course, has long had good support for
  interacting with smartcards and working with OpenPGP keys.
I use it for my everyday work but we have no real documentation.
Suspend/remove technically works but there are a couple of problems and
non-implemented features. I have some things on my todo list, like the
ability to run scripts (e.g. to start/stop dovecot), adding new
encryption keys to the existing ones, making use of the extra copies of
the encrypted session keys in case of problems.

You need to create a file /etc/gnupg/g13tab which may look like this:

  # g13tab - Mount definitions for g13
  # <user>  <blockdev>  [<label>|"-"  [<mountpoint>]]
  wk /dev/sdb1 mail /home/wk/bar
  joe partuuid=12345678-12
  joe PARTUUID=f424242-48d2-5e1a-be09-def54312aaa1 - /mnt/foo

this allows user wk to mount /dev/sdb1 on /home/wk/bar and user joe to
mount the given disks.  A helper tools invoked via userv(1)[1] is used for
the actual work then.  For example you can do this

  g13 --create /dev/sdb1

which turns an empty partition (you may need to use "dd if=/dev/zero" to
convince g13 that it is empty) into a g13 managed dm-crypt partition.
Currently you still need su(root) and run mkfs then.  You should be
able to use the label ("mail" in the example) instead of the partition
name, but that has not yet been fully implemented.

  g13 --mount /dev/sdb1

will mount that partition according to g13tab.  --umount umounts of

  g13 --suspend /dev/sdb1

would then run the dm-crypt suspend hack, which removes the session key
and freezes the session.  --resume reverts this by setting the session
key again using the private key which one should keep on a smartcard.
Suspend/resume requires a patch dmsetup(1) tool.



[1] You need this file /etc/userv/services.d/gnupg-g13-syshelp :
--8<---------------cut here---------------start------------->8---
if ( glob service-user root
    execute /usr/local/bin/g13-syshelp -v
    error Nothing to do for this service-user  
--8<---------------cut here---------------end--------------->8---

Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list