warning: crypttab contains a literal encryption key

ZeroLinux · 2012-05-02 07:37:45

Message during boot:

Unlocking encrypted volumes:    [BUSY] ^[[udisk1..crypttab contains a literal encryption key. This
^[[uok ^[[udisk2..crypttab contains a literal encryption key. This will stop working in the future.

What should I do? I use several literal encryption keys to unlock several partitions during booting including root.
The problem is in that I use remote unlocking of the root partition with literal key I enter manually from keyboard. I replaces the encrypt hook with dropbear encryptssh in /etc/mkinitcpio.conf.
What can I do if in the future it will be replaced with key-file instead of literal one. It is inconvenient to use key-file for remote computer file encryption?

Gcool · 2012-05-02 08:01:08

So atm you have the actual passphrases in your /etc/crypttab?

From a security perspective this is not exactly the way to go as you can imagine. I would either switch the keyfiles or set "ASK" in your crypttab so you get prompted for the password(s) during boot.

ZeroLinux · 2012-05-02 08:06:19

Gcool wrote:

So atm you have the actual passphrases in your /etc/crypttab?

Yes, I store plain passwords in /etc/crypttab, because /etc/crypttab is on the encrypted root partition. Encrypted root partition is decrypting during boot after entering literal password over ssh through network. I don't see anything wrong with that. I can't be asked for passwords, because I boot computer remotely.

Last edited by ZeroLinux (2012-05-02 08:09:32)

Gcool · 2012-05-02 08:20:47

Your best bet is to switch to keyfiles in that case.

PS: some additional info about it on this mailing list message.

ZeroLinux · 2012-05-02 09:02:03

If I do it how I will decrypt my root partition during boot remotely?

Gcool · 2012-05-02 09:25:09

You don't have to change anything to how your root partition is decrypted. It's only after your root partition has been decrypted/mounted and your /etc/crypttab is read that you'll be wanting to switch to keyfiles.

ZeroLinux · 2012-05-02 13:50:08

Thanks, I'll try to make it.

hobarrera · 2012-05-06 08:54:23

ZeroLinux wrote:

[...]Encrypted root partition is decrypting during boot after entering literal password over ssh through network. I don't see anything wrong with that. I can't be asked for passwords, because I boot computer remotely.

Actually, that's a may be a security hole.
You sshd keys are unencrypted, therefore, someone with physical access to you computer, can copy them, and then do a MITM attack to get your passphrase when you unlock it remotely.

ZeroLinux wrote:

If I do it how I will decrypt my root partition during boot remotely?

You can configure a single partition so that it can be unlocked both with a keyfile and a passphrase.

Arch Linux

#1 2012-05-02 07:37:45

warning: crypttab contains a literal encryption key

#2 2012-05-02 08:01:08

Re: warning: crypttab contains a literal encryption key

#3 2012-05-02 08:06:19

Re: warning: crypttab contains a literal encryption key

#4 2012-05-02 08:20:47

Re: warning: crypttab contains a literal encryption key

#5 2012-05-02 09:02:03

Re: warning: crypttab contains a literal encryption key

#6 2012-05-02 09:25:09

Re: warning: crypttab contains a literal encryption key

#7 2012-05-02 13:50:08

Re: warning: crypttab contains a literal encryption key

#8 2012-05-06 08:54:23

Re: warning: crypttab contains a literal encryption key

Board footer