[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [solved] encrypted fs, ensure pw correct to continue boot?

On Thu, Nov 27, 2008 at 12:25:02AM -0500, Douglas A. Tutty wrote:
> I have encrypted partitions on my new box (/home, swap, (tmp on tmpfs),
> /var/local, /var/tmp).  The cryptsetup initscripts prompt for the
> passphrase during boot.  If you type the wrong passphrase, it says that
> it didn't work but the boot continues anyway.  
> I'd like the boot to stop (perhaps doing an immediate reboot) rather
> than continuing.  The cryptdisks set up happens at
> /etc/rcS.d/S26cryptdisks-early and S28cryptdisks, inbetween
> S25libdevmapper1.02 and S30checkfs.sh.
I've heard that if you have an encrypted / then of course you can't boot
with the wrong password.

I added the following script to /etc/init.d/cryptcheck with the symlink
to /etc/rcS.d/S29cryptcheck.

I figure that there are only two reasons why the script should find that
things aren't set up correctly:  1) I mistyped, or 2) an attacker is
trying to break in.  If 1), I want a reboot and am expecting it.  If 2),
I don't want the attacker to know what's going on, just have the box
reboot with no further prompting.  There are enough messages printed
that it could be captured with a serial console if reqired.

#! /bin/sh
# Author: Doug Tutty <dtutty@vianet.ca>

# Do NOT "set -e"

# PATH should only include /usr/* if it runs after the mountnfs.sh script
DESC="Will reboot if cryptdisks were not opened correctly."

# Function that starts the daemon/service
	echo -n "	What is in dev/mapper?  "
	test -b /dev/mapper/sda2_crypt || reboot
	test -b /dev/mapper/sda6_crypt || reboot
	test -b /dev/mapper/sdb1_crypt || reboot
	test -b /dev/mapper/sdb2_crypt || reboot
	echo "All crypt partitions exist."
	return 0

case "$1" in
	echo "$DESC" "$NAME"

	echo "Usage: $SCRIPTNAME {start [there is not stop]}" >&2
	exit 3


Reply to: