Hi fellow Debian users, I just got the combination of a dm encrypted FS with the PAM mount ability working. What gave me quite a headache was the following: You can use the PAM mount lib to encrypt your mantra of the dm encrypted partition with your login password. I started out with a rather long (2880 Bytes) dm mantra. I generated it by something like: <snip> head -c 2880 /dev/random | uuencode -m -| head -n 65 | tail -n 64 > /home/clemens.key </snip> Afterwards, I set everything up as it is explained in /usr/share/doc/libpam-mount/README.Debian.gz always ending up with the following log file entries: <snip /var/log/auth.log/> Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: (defined by globalconf) Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: user: clemens Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: server: Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: volume: /dev/hdb7 Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: mountpoint: /mnt/dm/ Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: options: cipher=twofish,hash=sha512 Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: fs_key_cipher: aes-256-ecb Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: fs_key_path: /home/clemens.key Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: use_fstab: 0 Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: -------- Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: checking to see if /dev/mapper/_dev_hdb7 is already mounted at /mnt/dm/ Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: checking for encrypted filesystem key configuration Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: decrypting FS key using system auth. token and aes-256-ecb Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: bad pad on end of encrypted file (wrong algorithm or key size?) Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: mount of /dev/hdb7 failed Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: checking sanity of volume record (/dev/hdb7) Nov 7 00:48:25 zappa kdm: :0[11226]: pam_mount: about to perform mount operations <endSnip /var/log/auth.log/> So, I am not quite sure where the cut off happens: a) in the openssl package while the mantra file gets decrypted b) in the dmsetup package when setting up the device mapper file Everything works fine when I use shorter passwords. Since I could not find any documentation stating this problem, I address this issue here to the list. Am I missing something? Thanks for your comments and explanations. Clemens Bier -- GPG Key: http://eigenvalue.net/~clemens/gpgkey.asc Fingerprint: 1024D/A07D0D1B 5FB1 B155 8070 DF8B 4350 6583 87FF 3589 A07D 0D1B
Attachment:
signature.asc
Description: This is a digitally signed message part