# Encrypted Filesystem: Keys and/or Passwords

## FishNiX

Hi All-

I finally managed to get a 120 gig encrypted hard disk setup, and now I would like to add a new feature.  Let's say that I have a small usb drive/keychain drive (or if it makes you feel better, let's pretend it's a floppy).  I would like to store a gpg key on this for mounting my encrypted filesystem.  I would be cool with having to use BOTH the key and the password, but I would like to get away from just the password.

Any ideas?  Can it be done?  

Someone did mention doing this in another post, but not enough details. 

THANKS!

----------

## Strubenator

Sure it can be done, but we need know some more info...

You mentioned gpg keys, is this what your using on your crypted disk drive? If not and your using cryptoapi I'm almost certain this can be done.

BTW: you may want to look into a new feature in the devel kernels that only allow root logins when a security key is in the system.

--Strube

----------

## watersb

 *Quote:*   

>  I would like to store a gpg key on this for mounting my encrypted filesystem. I would be cool with having to use BOTH the key and the password, but I would like to get away from just the password.
> 
> 

 

It sounds like what you want is something similar to what Jari Ruusu wrote and posted to the loop-AES (now the Crytpo-loop) mailing list:

http://mail.nl.linux.org/linux-crypto/2002-04/msg00010.html

And now I ramble on a bit about why I have not implemented such a system myself... read on if interested...

I have been running an encrypted root partition for about nine months now, and I considered doing something like a USBDrive or dongle to store a key. But this adds even more complexity to the system, and I am not certain that I could trust it to work -- if for some reason it doesn't, then you can't get to your data. I find that typing the losetup password each time to work OK. Yeah, it's tedious. But reliable enough.

The nice features of the GPG key for encrypted root: 1) possiblity to grant access to a number of individual keys, and 2) token-based authentication means that I can manage access by managing the token (USB drive or smart card). Since I can't change the encryption key of the disk, revoking access is limited to revoking the token. A small downside is that an un-authorized person can gain access to the token -- by stealing it, for example. So you generally still ask for a password or some other information.

I decided that I didn't care about token-based access issues for my single-user laptop. I did care that laptops are relatively easy to steal; if "black hats" have unlimited access to my hardware, password-based access  is useless without some data-level encryption as a reasonable deterrent.

If you can get GPG-based crypto-loop to work, I'd love to know!

Good luck!

----------

## FishNiX

 *Strubenator wrote:*   

> Sure it can be done, but we need know some more info...
> 
> You mentioned gpg keys, is this what your using on your crypted disk drive? If not and your using cryptoapi I'm almost certain this can be done.
> 
> BTW: you may want to look into a new feature in the devel kernels that only allow root logins when a security key is in the system.
> ...

 

i'm using cryptoapi and rc6 encryption currently.  i just want to be able to use a key instead of a password OR a key and a password.  i havent worked all that much with keys, so i think it's time i started  :Wink: 

actually, i think that i would prefer just a key.

what i would like to be able to do is:

-insert the usb drive with the key stored on it

-boot my computer

-have scripts run to mount my encrypted device with the key and no password (this is not a root filessytem, just a backup filessystem)

-remove the usb drive

-use the encrypted filesystem (since its mounted) until i have to reboot or i unmount it (at which time, mounting it again would require the key)

----------

## FishNiX

 *watersb wrote:*   

>  *Quote:*    I would like to store a gpg key on this for mounting my encrypted filesystem. I would be cool with having to use BOTH the key and the password, but I would like to get away from just the password.
> 
>  
> 
> It sounds like what you want is something similar to what Jari Ruusu wrote and posted to the loop-AES (now the Crytpo-loop) mailing list:
> ...

 

that does sound very similar -- although it seems (for now!) what i want is a little more simple.  im still waiting on my usb drive... maybe i should just start this without the drive since it will take a while anyways.

anyone else have information/suggestions?  They are all welcome here!!

Thanks!

----------

## FishNiX

btw... does anyone know how to not have to specify the key size when mounting the encrypted filessytem?  i'm using rc6 and it would be cool to have something like mount /dev/hdd1 /backups -t ext3 -o loop,encryption=rc6-256 or something like that.

thanks!

----------

## doubt

Here my fstab entry containing "keysize" argument and others ...

```
/home/doubt/.secure    /home/doubt/secure     ext2    rw,noauto,user,loop,encryption=aes,phash=sha256,keybits=192,uid=jfield  0 0
```

Regards.

----------

## FishNiX

 *doubt wrote:*   

> Here my fstab entry containing "keysize" argument and others ...
> 
> ```
> /home/doubt/.secure    /home/doubt/secure     ext2    rw,noauto,user,loop,encryption=aes,phash=sha256,keybits=192,uid=jfield  0 0
> ```
> ...

 

awesome! the keybits work -- what is phash doing?

i see this:

 *Quote:*   

> --phash, -P hash
> 
>               specify ash to use for hashing  the  passphrase.  The  following
> 
>               hash functions are supported:
> ...

 

but i dont exactly know what that means

----------

## mmealman

A hash is sort of a one way crypt. It allows you to map a word into a x bit phrase. The same word will always map down to the same phrase.

If your password is dog, it gets mangled by the hash which is used as the passphrase for your crypt algorythm.

The default hash type for losetup is rmd, but you can choose your own with phash.

I'm a noob with cryptology, so the above may not be entirely correct.

With the USB key thingy, is there any reason you couldn't just have losetup read the password from a file on the usb device when the system boots up? And if it can't find it, then have it prompt for the password instead. Sort of a fall-back in case you don't have the key.

----------

## xi

does someone have any experiences with Towitoko / Omnikey / Utimaco or other card readers ?

----------

## petu

 *xi wrote:*   

> does someone have any experiences with Towitoko / Omnikey / Utimaco or other card readers ?

 

I have utimaco's 2010 cardman and finnish identity card. I use it with pcsc-lite and opensc to login to my system. I have tried to get it work with mozilla but I have only got the pkcs11 module to work but not the opensc-signer so my card is pretty useless.

----------

