Bug 580807
| Summary: | [RFE] Add using USB as key for encrypted / | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Miro Halas <fedora> |
| Component: | mkinitrd | Assignee: | Brian Lane <bcl> |
| Status: | CLOSED WONTFIX | QA Contact: | Release Test Team <release-test-team-automation> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.5 | CC: | ddumas, myroslav |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-27 15:34:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Miro Halas
2010-04-09 05:55:50 UTC
In addition there is one beautiful side effect of this solution (which might be known or obvious to others, but it took me couple of hours trying to hack rc.sysinit to realize so I am using this opportunity to document it). /etc/crypttab allows to specify keys for the encrypted file systems but rc.sysinit doesn't support reading the keys from the USB key. Even if such support is added, if the key is not present (e.g. the USB key is not inserted) the rc.sysinit doesn't default to interactive input of passphrase and rather skips the volume entirely which may result in non working system. By allowing to put the key for the encrypted root file system on the USB key, one can then put the key used to decrypt other volumes on the computer on the root drive (which is encrypted) and point /etc/crypttab to this key. This way when the root drive is mounted and decrypted using the key present on the USB key, the other drives can be mounted and decrypted automatically using the keys from the decrypted root file system. This single patch can therefore solve all existing scenarios how to simplify access to machines with encrypted filesystem: 1. If the user doesn't have the USB drive with the key, the mkinitrd allows to specify the key interactively and once successfully specified the keys specified in /etc/crypttab can be used to decrypt the other file systems 2. If the user uses the USB drive with the key, the mkinitrd uses this key and user doesnt have to type anything (doesn't even have to know the passphrase) and still can boot/reboot the machine. Once successfully specified the keys specified in /etc/crypttab can be used to decrypt the other file systems There is no change to rc.sysinit required. I also suggest looking at this request https://bugzilla.redhat.com/show_bug.cgi?id=459814 and additional patches listed in it. These add ability to unlock the encrypted filesystem while connecting over SSH. I don't like the idea of adding ssh, but the USB key solution looks interesting. Is there the reason why SSH is not in favor? Is that too far from mainstream Fedora solutions? We are past the point where we can implement new features in RHEL-5. If you would like to see this feature implemented in a future major RHEL release, please work with the upstream projects to get it implemented in Fedora first. |