Require key and passphrase - system encryption

sensei · 2011-12-02 18:19:24

Hello!
Is it possible to use both a key file and a passphrase to decrypt the system? Is the feature enabled by default or do you have to do something special to go around it?
What's the best way to achieve this kind of encryption?

Thanks in advance.

Edit:
To elaborate; I want both a key and a passphrase to be required, I don't want to choose one of them.

Last edited by sensei (2011-12-02 18:21:35)

lifeafter2am · 2011-12-02 18:25:11

What encryption scheme are you using?

If it's LUKS this may help: https://wiki.archlinux.org/index.php/LU … e_Key_File

sensei · 2011-12-03 15:24:24

lifeafter2am wrote:

What encryption scheme are you using?
If it's LUKS this may help: https://wiki.archlinux.org/index.php/LU … e_Key_File

Thank you for your answer.
I know how to create keyfiles; what I want to know is if it's possible to require both a keyfile and a passphrase. If I add a passphrase and a keyfile, will you need both the keyfile and the passphrase to unlock the volume or is it enough with either the passphrase or the keyfile?

lifeafter2am · 2011-12-03 15:56:19

You can see in this topic that you can have it fallback to a passphrase should the keyfile be invalid or missing. I wonder if you could modify the encrypt hook to require both, instead of falling back. Little more information on the encrypt hook here: https://wiki.archlinux.org/index.php/Mk … ypted_root

I may start looking into this as well, as it's an interesting idea that definitely would enhance the security of a encrypted drive.

sensei · 2011-12-03 20:29:16

I'll see if I can get around it in a virtual machine, I'll post if I make any progress. Thank you for your answer.

sensei · 2011-12-03 20:57:17

I've been thinking a little and checking out the code blow.

        if  poll_device "${cryptdev}" ${rootdelay}; then
            if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
                [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
                dopassphrase=1
                # If keyfile exists, try to use that
                if [ -f ${ckeyfile} ]; then
                    if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
                        dopassphrase=0
                    else
                        echo "Invalid keyfile. Reverting to passphrase."
                    fi
                fi
                # Ask for a passphrase
                if [ ${dopassphrase} -gt 0 ]; then
                    echo ""
                    echo "A password is required to access the ${cryptname} volume:"

                    #loop until we get a real password
                    while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
                        sleep 2;
                    done
                fi
                if [ -e "/dev/mapper/${cryptname}" ]; then
                    if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
                        export root="/dev/mapper/root"
                    fi
                else
                    err "Password succeeded, but ${cryptname} creation failed, aborting..."
                    exit 1
                fi

How about creating a temporary keyfile by adding the original keyfile and the passphrase? The biggest problem I see is where to store the keyfile. Would RAM be a good place to store it, and is it possible using bash? Or do you have to use C++ to access RAM?
My knowledge in bash is very limited as I haven't really had the need to use it.

Maybe /dev/smh would be an alternative? Or maybe the device where the original keyfile is?
I'm just brainstorming here,

andy123 · 2011-12-04 18:57:03

Can this be changed in the encrypt hook or are there some cryptsetup parameters to do so?
I know, that truecrypt is able to require both, a passphrase and a keyfile, but thats no alternative for me, since i want to add the keyfile to a already existing luks partition.

sensei · 2011-12-04 19:36:28

andy123 wrote:

Can this be changed in the encrypt hook or are there some cryptsetup parameters to do so?
I know, that truecrypt is able to require both, a passphrase and a keyfile, but thats no alternative for me, since i want to add the keyfile to a already existing luks partition.

As far as I can tell, this can be changed in the encrypt hook. I'm in the process of modifying it, I haven't been able to check it out yet but I'm currently setting up a virtual machine.

Below is what I have so far.

if  poll_device "${cryptdev}" ${rootdelay}; then
	if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
		[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
		if [ -f ${ckeyfile} ]; then
			eval mount tmpfs /dev/shm -t tmpfs -o size=32m
			bool=true
			while $bool; then
				echo "Enter passphrase: "
				read passphrase
				tmpkey="/dev/shm/tmpkey"
				cp ${ckeyfile} ${tmpkey}
				echo passphrase >> ${tmpkey}
				if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
					bool=false
					eval umount /dev/shm
				fi
			fi

As earlier stated, I'm not good at bash so if anyone has a better solution feel free to post it.

Edit:

If anyone could provide a full version on the encrypt file, I'd appreciate it.

Last edited by sensei (2011-12-04 19:39:48)

Arch Linux

#1 2011-12-02 18:19:24

Require key and passphrase - system encryption

#2 2011-12-02 18:25:11

Re: Require key and passphrase - system encryption

#3 2011-12-03 15:24:24

Re: Require key and passphrase - system encryption

#4 2011-12-03 15:56:19

Re: Require key and passphrase - system encryption

#5 2011-12-03 20:29:16

Re: Require key and passphrase - system encryption

#6 2011-12-03 20:57:17

Re: Require key and passphrase - system encryption

#7 2011-12-04 18:57:03

Re: Require key and passphrase - system encryption

#8 2011-12-04 19:36:28

Re: Require key and passphrase - system encryption

Board footer