Bug 714467
| Summary: | Cannot use /dev/urandom for random keys, despite what man crypttab says | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Paul Johnson <paul> |
| Component: | cryptsetup-luks | Assignee: | Milan Broz <mbroz> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | agk, dwysocha, lvm-team, mbroz, opensource, pjones, prockai, pvrabec, whulbert |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-08-11 13:59:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Paul Johnson
2011-06-19 13:09:17 UTC
After a bit more reading, I see that there is a distinction between the password and the key files. The problem is that crypttab treats field 3 as a password file, when really a random key file is required for random encryption of swap and tmp. There does not seem to be any way to pass a random key file via crypttab. crypttab processing is quite tricky. If you use keyfile in plain-mode (non-LUKS), it will use keyfile as key directly. But using urandom for key should be possible for plain mode. This one crypttab entry should work: crypt-swap <swap-partition> /dev/urandom swap It is in fact systemd cryptsetup wrapper problem, but I thought I sent fix for this... swap encrypted by key read from urandom was one of the tested scenario. I'll check it once I have access to some F15 system again. For me, crypttab is processed correctly - device mapper maps device, swap is created - using this line swap-plain-keyf /dev/sdb1 /dev/urandom swap But there seems problem when I add it to fstab with activation... ok, this is another problem. I'll comment it on duplicate bug. *** This bug has been marked as a duplicate of bug 711394 *** I do not believe that this bug is a duplicate of 711394, so I'm reopening it. That bug is about swap partitions. This one is primarily about /tmp. When I set my /etc/crypttab to crypt-tmp <tmp-partition> /keyfile tmp crypt-swap <swap-partition> /keyfile swap then everything works (apart of course from being insecure because the /keyfile is stored on the root partition). The problem is that the file referred to in /etc/crypttab is passed as a password not a key, and cryptsetup reads password files to completion. What I think is needed is some way to tell the crypttab processing to use /dev/urandom as a key file rather than a password file. Or is there some other workaround? Does it finish boot somehow? If so, please paste lsblk output and crypttab entry after system boots (after timeout). crypttab is processed correctly on my system with urandom, and even swap was activated whan I removed that udev rule exception. You can easily verify if it is clone of bug 711394: try edit /lib/udev/rules.d/60-persistent-storage.rules this way (remove dm-*): # skip rules for inappropriate block devices #KERNEL=="fd*|mtd*|nbd*|gnbd*|btibm*|dm-*|md*", GOTO="persistent_storage_end" KERNEL=="fd*|mtd*|nbd*|gnbd*|btibm*|md*", GOTO="persistent_storage_end" Does it help? The problem is with tmp, not swap. I currently have my /etc/crypttab as crypt-tmp /dev/mapper/vg_eiffel-lv_tmp /tstkey tmp crypt-swap /dev/mapper/vg_eiffel-lv_swap /dev/urandom swap This boots fine. But if I set the tmp line to /dev/urandom then boot fails when the initialisation of /tmp times out. I think this is a bug in /etc/functions in the init_crypto function. There is a line: if [ -z "$makeswap" ] && cryptsetup isLuks "$src" 2>/dev/null ; then The "else" part passes the "-d" parameter to cryptsetup (i.e. use key file). I think that if this line was changed to if [ -z "$makeswap" ] && [ -z "$mke2fs" ] && cryptsetup isLuks "$src" 2>/dev/null ; then then the tmp encryption would work in the same way as the swap. uff. systemd should do the job, /etc/functions should not be used here (and -d /dev/urandom works). But there seems to be another bug. Can you remove tmp mount from /etc/fstab, add urandom to crypttab, reboot and paste "lsblk -f" output? It works for me - urandom is used, fs is there. Just it is not mounted for some reason. (but I have no clear F15 system, it is partially updated from rawhide) Here it is: NAME FSTYPE LABEL MOUNTPOINT sda ├─sda1 /boot └─sda2 ├─vg_eiffel-lv_root (dm-0) / ├─vg_eiffel-lv_swap (dm-1) │ └─crypt-swap (dm-7) [SWAP] ├─vg_eiffel-lg_var (dm-2) /var ├─vg_eiffel-lv_home (dm-3) /home ├─vg_eiffel-lv_tmp (dm-4) │ └─crypt-tmp (dm-6) /tmp └─vg_eiffel-lv_scratch (dm-5) /scratch sr0 sr1 sdb └─sdb1 So, if /etc/functions isn't being used, what does the crypttab processing? crypttab is now parsed inside systemd and it calls libcryptsetup directly so from the lsblk output you can see that crypt-tmp is mounted on /tmp, and crypt-swap is used as swap. So this is correct. How the wrong config looks like? No info provided here, closing. I think that cryptsetup part works but there are still some issues in systemd regarding LUKS volumes anyway. |