Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 580807

Summary: [RFE] Add using USB as key for encrypted /
Product: Red Hat Enterprise Linux 5 Reporter: Miro Halas <fedora>
Component: mkinitrdAssignee: Brian Lane <bcl>
Status: CLOSED WONTFIX QA Contact: Release Test Team <release-test-team-automation>
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: ddumas, myroslav
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-27 15:34:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miro Halas 2010-04-09 05:55:50 UTC
Description of problem:

mkinitrd doesn't support entering passphrase for encrypted root file system using USB key. When setting up encrypted filesystem it would greatly simplify management if user can store the keys on a USB key and just plug it in to restart the computer without having to type anything. 

Version-Release number of selected component (if applicable):

fully updated CentOS 5.4

How reproducible:

There is no way using the default  mkinitrd to specify to use luks key on the USB key for simplified boot process. It always requires to enter the passphrase from the console

Steps to Reproduce:
1. Setup unencrypted /boot partition
2. Setup encrypted / partition
3. During boot you have to interactively enter the passphrase, there is no way to setup to read the key from the USB key
  
Actual results:


Expected results:

Please see this page for steps and patches how to setup encrypted root filesystem, key on USB key and patch for mkinitrd to allow using key from USB key

http://www.gno.org/~gdr/sysadmin/centos/5.4/usb-crypto-key.html

Additional info:

Comment 1 Miro Halas 2010-04-09 06:19:50 UTC
In addition there is one beautiful side effect of this solution (which might be known or obvious to others, but it took me couple of hours trying to hack rc.sysinit to realize so I am using this opportunity to document it).

/etc/crypttab allows to specify keys for the encrypted file systems but
rc.sysinit doesn't support reading the keys from the USB key. Even if such support is added, if the key is not present (e.g. the USB key is not inserted) the rc.sysinit doesn't default to interactive input of passphrase and rather skips the volume entirely which may result in non working system.

By allowing to put the key for the encrypted root file system  on the USB key, one can then put the key used to decrypt other volumes on the computer on the root drive (which is encrypted) and point /etc/crypttab to this key. This way when the root drive is mounted and decrypted using the key present on the USB key, the other drives can be mounted and decrypted automatically using the keys from the decrypted root file system.

This single patch can therefore solve all existing scenarios how to simplify access to machines with encrypted filesystem:
1. If the user doesn't have the USB drive with the key, the mkinitrd allows to specify the key interactively and once successfully specified the keys specified in /etc/crypttab can be used to decrypt the other file systems
2. If the user uses the USB drive with the key, the mkinitrd uses this key and user doesnt have to type anything (doesn't even have to know the passphrase) and still can boot/reboot the machine. Once successfully specified the keys specified in /etc/crypttab can be used to decrypt the other file systems

There is no change to rc.sysinit required.

Comment 2 Miro Halas 2011-01-20 18:42:40 UTC
I also suggest looking at this request

https://bugzilla.redhat.com/show_bug.cgi?id=459814

and additional patches listed in it. These add ability to unlock the encrypted filesystem while connecting over SSH.

Comment 3 Brian Lane 2011-07-11 18:15:36 UTC
I don't like the idea of adding ssh, but the USB key solution looks interesting.

Comment 4 Myroslav Opyr 2011-07-11 22:16:20 UTC
Is there the reason why SSH is not in favor? Is that too far from mainstream Fedora solutions?

Comment 5 Dave Cantrell 2011-07-27 15:34:45 UTC
We are past the point where we can implement new features in RHEL-5.  If you would like to see this feature implemented in a future major RHEL release, please work with the upstream projects to get it implemented in Fedora first.