Reply
Thread Tools
Posts: 21 | Thanked: 19 times | Joined on Oct 2011 @ Germany/Siegen
#1
Say you have encrypted your home and MyDocs via cryptsetup and LUKS like many howtos here describe.

For me it seems most people are using the plain cryptsetup password prompt via fbcon. Clean but tiny.

I've modified some script from BackupMenu (by RobbieThe1st) to satisfy my needs of some fancier password prompt. See the attached Screenshot (btw: yes, it's a photo. I don't know how to dump the framebuffer while booting...)

I didn't built it rock stable, it's more or less alpha state. But it's doing its job fine for me.

How to install:
Instead of running cryptsetup directly inside /etc/init.d/rcS I added the following to the file. Place it where cryptsetup is called in most of the "how to encrypt your home and mydocs"-howtos:
Code:
# activate LUKS devices
[ -f /usr/local/sbin/deluks.sh ] && /usr/local/sbin/deluks.sh
deluks.sh is the file I attached here. Some parameters should be modified for your needs. For example partition numbers or mapper names. Mine are home_luks and mydocs_luks.

A password hash is needed (execute line by line, don't copy&paste the whole block into a shell!):
Code:
export HISTORY=/sdf/sdf
ash
echo -n "yourpassword" | sha3sum > /etc/luks-passwd.hash
exit
User your LUKS-password instead of yourpassword. This should write the sha3sum of your password to /etc/luks-passwd.hash without saving your password in clear text to the ash history. (ash is the busybox shell)
Review your /root/.ash_history afterwards! Both passwords, for home and mydocs, have to be the same. There's only one prompt for one password.

The hash is used to prompt for the password another time if the last one wasn't the right one. I decided to do it this way because I don't want to wait for cryptsetup for every wrongly typed password and this way I can afterwards call cryptsetup two times consecutively with the correct password (for home and mydocs). (Security isn't reduced that much because sha3 is for one thing a strong hash and and for the other thing most of the collisions found in the one way hash won't decrypt the luks key, but only the single real one used to generate the hash. Brute forcing all possible passwords is still less expensive than with LUKS and all of it's many hash-iterations!)

Don't forget to let some backup procedure inside rcS for emergency cases. If you use special characters in your password there's a chance to not be able to decrypt it this way. Default keyboard layout for deluks.sh is english/us.

I had the following inside rcS before and after deluks.sh, for debugging reasons:
Code:
echo "Press any key to enable shell"
read -n 1 -t 2 shellmode
if [ -n "$shellmode"  ] ; then
sh
fi
This way I could edit files (like the hash file) if they don't work in the first try or even add some other key (luksAddKey). :-)

For capitals and special keys, please note: alt/shift keys must be pressed one at a time. Like with BootMenu.

The fbcon module should not be needed (I think - I still load it in /sbin/preinit).

And at long last: If there are better ways to do so, please tell me. I'll switch over by myself. :-D
Attached Images
 
Attached Files
File Type: txt deluks.sh.txt (8.1 KB, 1162 views)

Last edited by hede; 2013-11-19 at 11:25.
 

The Following 5 Users Say Thank You to hede For This Useful Post:
Posts: 8 | Thanked: 13 times | Joined on Dec 2009
#2
Nice! I 'm also using a modified version of backupmenu and fbcon in order to have an encrypted home partition. Now it would be great to also try that on a jolla but as long as there isn't even a way to flash it I won't try. So the good old N900 will still be the main phone as I couldn't live without the encryption of all my data.
 
Posts: 21 | Thanked: 19 times | Joined on Oct 2011 @ Germany/Siegen
#3
I had the known problem of not having any content in ossofilemanager an all those file-open dialogues etc.

[no files / folders]

I've found a workaround: use a loop device in between. Instead of mounting /dev/mapper/mydocs_luks directly to /home/user/MyDocs I use a loop device in osso-mmc-mount.sh:

if [ "$PDEV" = "/dev/dm-1" ]; then
PDEV=$(losetup -f)
losetup $PDEV /dev/dm-1
fi

Now my filemanager is filled with files, even if there's nothing changed in my file system tree.
 
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 04:12.