OpenSSL bf-cbc encrypted Keyfile HOOK for LUKS

I modified the this HOOK that maxim_ posted here. That dose not work.
https://bbs.archlinux.org/viewtopic.php … 05#p947805
This one uses Blowfish in CBC mode instead of AES-256.
The password is hashed 1000 times with Whirlpool.
gen-cryptkey adds a a Salt to the encrypted keyfile
https://github.com/tdwyer/bfkeyfile
/lib/initcpio/hooks
#!/usr/bin/ash
run_hook ()
local encfile decfile iteration attempts prompt badpassword dev arg1 arg2 retcode password passwordHash
if [ "x${bfkf}" != "x" ]; then
encfile="/enc_keyfile.bin"
decfile="/crypto_keyfile.bin"
iteration=1000
attempts=5
prompt="Enter password: "
badpassword="Password incorrect"
dev="$(echo "${bfkf}" | cut -d: -f1)"
arg1="$(echo "${bfkf}" | cut -d: -f2)"
arg2="$(echo "${bfkf}" | cut -d: -f3)"
if poll_device "${dev}" "${rootdelay}"; then
case "${arg1}" in
*[!0-9]*)
mkdir /mntkey
mount -r -t "${arg1}" "${dev}" /mntkey
dd if="/mntkey/${arg2}" of="${encfile}" >/dev/null 2>&1
umount /mntkey
rm -rf /mntkey
dd if="${dev}" of="${encfile}" bs=1 skip="${arg1}" count="${arg2}" >/dev/null 2>&1
esac
fi
if [ -f "${encfile}" ]; then
while true; do
read -rsp "${prompt}" password
i=0
while [ ${i} -lt ${iteration} ]; do
password=`echo -n "${password}" | openssl dgst -whirlpool -hex 2> /dev/null | cut -d ' ' -f 2`
i=$(( ${i} + 1 ))
done
openssl bf-cbc -pass pass:"${password}" -d -in "${encfile}" -out "${decfile}" >/dev/null 2>&1
retcode="$?"
if [ "${retcode}" != "0" ]; then
echo -e "\n${badpassword}\n"
attempts=$(( ${attempts} - 1 ))
[ "${attempts}" == "0" ] && echo "Keyfile could not be decrypted" && break
else
break
fi
done
rm -f "${encfile}"
else
echo "Encrypted keyfile could not be opened. Reverting to 'encrypt' hook."
fi
fi
/lib/initcpio/install
#!/bin/bash
build() {
add_binary /usr/bin/openssl
add_runscript
help ()
cat<<HELPEOF
This hook allows for an openssl (bf-cbc) encrypted keyfile for LUKS.
It relies on standard 'encrypt' hook providing decrypted '/crypto_keyfile.bin' for it.
You must use gen-cryptkey create the encrypted enc_keyfile.bin
The password is hashed with Whirlpool 1000 times
Then your password Hash is used to encrypt the keyfile
mkinitcpio.conf:
MODULES: add ext4 vfat or whatever the type of filesystem the keyfile is on
HOOKS=" ... bfkf encrypt ... filesystems ..."
Kernel Parameters:
There is no need for cryptkey=
Two options are supported:
1) Using a file on the device:
bfkf=<device>:<fs-type>:<path>
2) Reading raw data from the block device:
bfkf=<device>:<offset>:<size>
Example: /etc/default/grub
GRUB_CMDLINE_LINUX="bfkf=/dev/sdb1:ext4:/keyfile.bin cryptdevice=/dev/sda2:root"
HELPEOF
# vim: set ft=sh ts=4 sw=4 et:
/usr/bin/gen-cryptkey
#!/bin/bash
# GPLv3
# Thomas Dwyer
# tomd.tel
iteration=1000
create_msg='Create: gen-cryptkey create'
decrypt_msg='Decrypt: gen-cryptkey decrypt PATH_TO_KEYFILE'
main () {
action=$1
if [ -z $action ]; then
echo -e "Usage:\n$create_msg\n$decrypt_msg"
elif [ $action == "create" ]; then
crypt
elif [ $action == "decrypt" ]; then
if [ -z $2 ]; then
echo -e "Usage:\n$create_msg\n$decrypt_msg"
else
decrypt $2
fi
else
echo -e "Usage:\n$create_msg\n$decrypt_msg"
fi
exit 0
crypt () {
encfile="enc_keyfile.bin"
echo "$encfile encrypted keyfile will be created"
echo ''
read -rsp "Enter password: " password
password1=`echo -n "$password" | openssl dgst -whirlpool -hex | cut -d ' ' -f 2`
echo ''
read -rsp "Enter password Again: " verify
password2=`echo -n "$verify" | openssl dgst -whirlpool -hex | cut -d ' ' -f 2`
if [[ "$password1" == "$password2" ]]; then
for (( i=1; i<=$iteration; i++ )); do
password=`echo -n "$password" | openssl dgst -whirlpool -hex | cut -d ' ' -f 2`
done
dd if=/dev/urandom bs=1k count=256 | openssl bf-cbc -pass pass:"${password}" -salt -out "${encfile}"
else
echo "Passwords did not match"
fi
decrypt () {
encfile=$1
decfile="crypto_keyfile.bin"
echo "$encfile Will be decrypted to crypto_keyfile.bin"
echo ''
read -rsp "Enter password: " password
for (( i=1; i<=$iteration; i++ )); do
password=`echo -n "$password" | openssl dgst -whirlpool -hex | cut -d ' ' -f 2`
done
openssl bf-cbc -pass pass:"${password}" -d -in "${encfile}" -out "${decfile}"
main $@
Last edited by hunterthomson (2013-01-01 00:01:20)

Well, it is working now, so feel free to use it.
If you do use it, make darn sure to keep "at least" 3 backups of the keyfile on 3 different devices.
You will also want to leave your passphrase enabled until you are sure the keyfile is working as it should.
However, I am not going to use this anymore and will no longer be working on it. I will subscribe to this thread and answer any questions. I don't really see a whole lot of added security in this, and it would be kind of a pain to use a keyfile in a Live CD/USB. I think it is good enough to make use of the --iter-time flag when using luksFormat or luksAddKey.  It was a fun ride learning how to write this hook for initcpio
Note: Anyone who wants to write a hook should install busybox and symlink /usr/local/bin/ash to it for testing the HOOK script. The HOOKS use busybox ash not 'sh' nor 'bash', and ash is strange. If your HOOK script has an error you will get a kernel panic.
Last edited by hunterthomson (2012-12-31 23:57:24)

Similar Messages

  • LVM+LUKS+GPG-encrypted keyfile?

    Hello everyone!
    I'm coming from Gentoo (just can't handle the compiling-without-distcc anymore!), where I had an LVM+LUKS+GPG-encrypted keyfile setup for my root partition, and would like to continue that with Arch here.
    I know with LUKS you can append keys/passwords, so I just went ahead with the "password" install method that was well documented. 
    Is there any current easy-method for going about the route I'm looking for?  I've been searching around and mostly finding "it can be done" but not necessarily how to do it.   Would anyone have any information for me on this? 
    Thanks in advance!

    The best info on LVM2/Luks I have found so far:
    http://sunoano.name/ws/public_xhtml/lvm.html
    http://sunoano.name/ws/public_xhtml/dm-crypt_luks.html

  • Luks encrypted key file as key for luks partition (two-factor auth)

    I'm trying to implement "two-factor" authentication (possession of a keyfile and knowledge of a passphrase required) using dm-crypt in order to open an encrypted root filesystem. In the past I used gpg and later openssl to decrypt a keyfile using a passphrase, which then was used by cryptsetup using --key-file to decrypt the actual data device. I'd like to ditch gpg/openssl and use only cryptsetup.
    So the idea is to create a luksFormatted key file (loop device) which, when opened using a passphrase, will be used as the key (using --key-file) to open a luksFormatted hard drive partition.
    To illustrate:
    # create and luksFormat the key container file
    dd if=/dev/urandom of=key_container bs=1M count=4
    cryptsetup luksFormat key_container
    # open the container and create a random "key" by directly writing pseudo random data to it
    cryptsetup luksOpen key_container key_device
    dd if=/dev/urandom of=/dev/mapper/key_device
    # luksFormat the data device using the random data from the luks key device
    cryptsetup -d /dev/mapper/key luksFormat /dev/sda1
    # later, to open /dev/sda1
    cryptsetup -d /dev/mapper/key_device luksOpen /dev/sda1 encryptedfs
    My questions:
    1. Is this a valid approach or am I making a mistake/do you see a problem somewhere?
    2. How much data from the loop device will cryptsetup use as key to format/open the data device? Everything? Is there a limit?
    3. Is there a difference between doing a
    cat /dev/mapper/key | cryptsetup -d -
    and
    cryptsetup -d /dev/mapper/key?
    3. Assuming that the answer to 1 is "no mistake/problem" and 2 is "everything there is" or even "the first x bytes", is it possible that  the actual contents of the loop device may change in the future because of different loop device implementations or somethings else I didn't think of? I'd like  to avoid bad surprises in the future..
    4. What would you recommend as size for the key container file, knowing that the luks header requires some space too?
    Any feedback appreciated.
    Cheers,
    fabriceb

    I do the same ( https://wiki.gentoo.org/wiki/Custom_Ini … ed_Keyfile ).
    --key-file=- should be equivalent, but it's meant for grabbing a key from gpg output or whatever; since you can specify it directly here, no need to involve anything else like cat etc.
    without --key-file=- it would stop reading at newlines or something. this behaviour is quite dangerous as it may cause people who believe they're using a long random key, to use only a very short (or even empty) key instead. one way to avoid such ambiguousness is to make sure there are no newline bytes in your keyfile, so it would use the whole thing in either interpretation.
    as for the key length, a key is essentially a passphrase. So it does not have to be very long at all; 8 truly random bytes would require up to 256^8 tries to break after all and with LUKS, each try takes ~1 second per physical CPU... but the smallest unit that LUKS allows is 512 bytes (1 sector) so you could just as well use the whole thing. If you use 4096 bytes, you're confusing bytes with bits somewhere... and as for bits, even 128bit AES is still considered secure...
    You could save some bytes in the initrd.gz if you initialize the container file with zeroes instead of random, so it can be compressed. The key will still be random as the random cipher key will turn the zeroes to something else after all...

  • How to disable AES CBC encryption on ASA 5545

    Hi ,
    In our environment  having ASA 5545 ( IOS Ver 9.1) Firewall and In there AES 256 CBC cipher encryption is enabled for SSH user access.
    we need to disable CBC cipher encryption and enable the CTR Cipher encryption for SSH users.
    Kindly help me for the same .
    Thanks,
    Dheeraj

    AES256-ctr was just added in ASA software version 9.1(2). I don't believe the ssh encryption type is configurable in the ASA ssh server. You need to specify it in the client - I did verify it will connect when yo do that (see output below).
    SSL encyption ciphers can be specified to exclude the weak ciphersuites.
    # sh ssh session det
    SSH Session ID          : 1
     Client IP              : <deleted>
     Username               : <deleted>
     SSH Version            : 2.0
     State                  : SessionStarted
     Inbound Statistics
      Encryption            : aes256-ctr
      HMAC                  : sha1
      Bytes Received        : 1824
     Outbound Statistics
      Encryption            : aes256-ctr
      HMAC                  : sha1
      Bytes Transmitted     : 5632
     Rekey Information
      Time Remaining (sec)  : 3277
      Data Remaining (bytes): 996142580
      Last Rekey            : 07:12:38.807 UTC Tue May 20 2014
      Data-Based Rekeys     : 0
      Time-Based Rekeys     : 0

  • How do I encrypt an archive for a PC user?

    I can't find a way to encrypt an archive for a PC user. There doesn't seem to be an option when making an archive from the Finder. I also tried making an encrypted disk image with Disk Utility but the PC can't open the DMG filetype apparently.
    In the reverse, the same problem exists if I try to open a zip file encrypted on a PC - can't be done.
    When I do a Google search the results for encrypted archive usually point to Stuffit Deluxe or encrypted disk images that you can use on your mac or another Mac.
    Does anyone know how to make/use encrypted archives that are cross platform? I'd like to avoid buying a program (i.e. Stuffit Deluxe) just for this one utilitarian task. Thanks.
    Message was edited by: Marlinespike

    Thanks, Dave.
    I tried the command you gave me. It worked! I could open the zipped archive on my neighbor's PC.
    The only weird things, are that it seems to zip all the other folders, e.g. users\Marlinespike\desktop\target-file, in the filepath and not just the target file, and that it also drops the zipped archive in the home folder.
    I tried adding some of the other commands, such as zip -e -r or zip -er or zip -e -d but it doesn't seem to work. However, this is a huge improvement over where I was earlier.
    I clicked through those links - I forgot about Mac GNU Privacy and am going to check those out too.

  • Third party encryption plug-in for a pdf form.

    We are looking for an Adobe approved third party encryption plug-in for a pdf form. 256 bit, assymetric, two key, one public (embedded in form) and one private (accessible only to our organisation

    I don't know that is a huge number of alternatives for Fractal plugins.  You'll no doubt come across links for Fractalius and Genuine Fractals, but the first produces interesting strand like effects (after a very long wait) and the second is an image resize plugine which now belongs to On One, and is sold as Perfect Resize.  And even that has been made irrelevant by the Preserve Details upres option in CC.
    You are alos wize to be careful.  Previous trusable sites like cnet on softonic are a nightmare nowdays, and too many of the free apps you find on them come loaded with malware.  Some of it _serious_ malware DAMHIKIJKOK
    But have a look at Fractal Explorer.  I don't have experience with it, but it comes with the Pixel Bender name behind it, which is like a badge of excellence.
    http://www.subblue.com/projects/fractal_explorer

  • USER Hook for Changer Manager function

    Dear All,
    I need to know that is there any user hook for Manager Self Service -- Change Manager function for employee.
    If yes then please give me the module name/id for the user hook.
    If no then how can I set custom validations on this page.
    Regards.

    You should look for the update assignment api.
    select * from hr_api_modules
    where module_name like '%UPDATE%ASG%'
    Depending on the legislation, you will have different modules/packages/procedures.

  • API User Hook for Restricting Category Creation in a sepcific catalog

    Q: API User Hook for Restricting Category Creation in a sepcific catalog by a specific responsibility. I want to capture GO button process event?
    Hi All,
    Can anyone help me if anyone have used user hook for OLM? My requirement is to restrict course creation for the specific category... when we select category and select course and click on go button which process is calling? How can we identify the BP Package and Procedure name of that GO button?
    urgent reply shall be a great help.
    thank you.
    Regards,
    AD

    OK, I just tried to insert an element entry from the API and it works perfectly
    The problem seems to be coming from the form. Is the form not using an API?
    If this is the case, should I do a personalization and run a PL/SQL procedure each time a change is made?

  • Java encryption/decryption coding for database records

    i need some help in developing a source code in java that can encrypt and decrypt database records in Oracle 9i and MYsQL.
    urgent help needed!

    its a grade report system, where i put in the college id and a course id as the password. to retreve the grade from the database. The user IDs and grades have to be encrypted before requesting for the grades.This database stores for each student the user ID, the course ID, name and grades.The grades from the database are encrypted before being sent to the user.

  • Cannot save service hook for Slack (Database error when saving)

    When trying to set up a service hook for Slack, saving the new service hook fails at the end of the process.
    The Message is
    "Cannos ave the value NULL into column 'ActionDescription', table 'ServiceHooks_...........hooks.tbl_Subscription'; column does not allow nulls, INSERT fails"
    The whole setup wizard runs fine and also the test before saving succeeds (the test message appears in the correct slack channel). There is no field left blank during the setup of the service hook, I cannot see any "Action description" that I may
    have left blank.
    Any ideas?

    Hi,
    did yo urun an authorization trace ?
    does it always happen with the same SAP user credentials ?
    does it always happen with the same report ?
    Ingo

  • Network security: Configure encryption types allowed for Kerberos-Windows 2008

    If below setting has been enabled in domain policy on Windows 2008 R2 DC ; what is the effect on Windows 2008 Member server . that seeting is not present in Windows 2008.
    Network security: Configure encryption types allowed for Kerberos:
    Please advice & if possible please provide more info.
    AliahMurfy

    Hi,
    I found some related information is some type of the encrypt not supported on the server 2008, such as AES128_HMAC_SHA1.
    More detail information please refer the following KB:
    Network security: Configure encryption types allowed for Kerberos
    http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx
    Hope this helps.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Mkinitcpio-nfs-utils hook for net without wireless

    Is there a way to make a net hook for diskless clients without including wireless?  Make one called net-nowireless or something like that.  If my diskless client has a wireless card, I'd have to go into emergency shell to connect the wireless network device to a wireless network if it would even let me do that.  Otherwise, I have to blacklist any perceivable wireless module and include it in my mkinitcpio.conf.  Some wireless devices can be canned just by not including the firmware.  Anyways, my diskless client hangs on the wireless deadlock when initializing network interfaces.  It would also probably remove firmware messages and make the initramfs-linux.img smaller.  The PXE clients can only boot from the hardwired ethernet clients for now.
    Doing a mkinitcpio -L doesn't even list the net hook, but mkinitcpio -H net shows the details.
    Last edited by nomorewindows (2013-10-05 12:22:32)

    Lone_Wolf wrote:
    It does look like the hook tries to connect using all autodetected network devices, regardless of number and type of devices.
    While it may be possible to differentiate between wired and wireless devices, that will still give issues if there are multiple wired/wireless devices.
    Maybe a configuration file could be added that specifies which devices nfs should use.
    If there's no config file present in the initramfs, it should just default to all detected devices as it does now.
    Although I haven't tried it this way, it makes sense because that's what it does with the wireless, which just has the unresolvable problem, whereas dual ethernet or more, as long as it satisfies getting an address via dhcp, can probably still boot.  Maybe this is the reason why OpenBSD is still anal about using stateful routines through rarpd and bootparamd.  I've tried to boot OpenBSD under Arch, using rarp, but I guess it doesn't answer satisfactory to OpenBSD's diskless request.  The purpose of stateless is to boot anybody.  Various options can be set in pxelinux.cfg based on MAC address, but maybe these aren't known ahead of time to boot a customized initramfs-linux.img. 
    The real boon was to turn on a dumb-terminal and as soon as it came on, the login prompt was present.  This was probably a function of getty.

  • WARNING POST: New Windows 10 scam will encrypt your files for ransom

    This is not Lenovo specific but a Windows 10 exploit going around hitting upgraders as I read it. None the less it is clear one must be careful in what they run and are downloading during the process. I am not clear where this is coming from (email, website etc) but be very careful for most ti will be a bad experience if you are a victime. http://www.zdnet.com/article/windows-10-scam-email-will-encrypt-your-files-for-ransom/?tag=nl.e539&s_cid=e539&ttag=e539&ftag=TRE17cfd61 

    Which computer? There is a label on the bottom.
    Try an older version of the driver for your model.
       Touchpad stopped working
    -Jerry

  • Creating API User Hooks for Saudi HRMS

    Dear All,
    I want to create API User hooks for Person Extra Information Type,Any one could help me.
    Thanks and regards,

    If you want to learn how a user hook works, you can check the metalink note 73170.1. Or you can visit the following link.This guy has given the whole content in his blog.
    http://shrigupta.blogspot.com/2010/06/understanding-and-using-api-user-hooks.html
    Hope this helps.

  • Can't mkinitcpio with "nouveau" hook for early start of KMS

    Hello Everyone,
    My first message on this board! But I'm using Arch for two years now.
    I have a problem with KMS:
    I try to start early KMS with the nouveau driver in order to have a nice plymouth-ed boot.
    I followed the wiki : https://wiki.archlinux.org/index.php/No … arly_start
    But mkinitcpio says that there is no hook for "nouveau" in /lib/initcpio/hook...
    I have the last version of xf86-video-nouveau and nouveau-dri.
    Have someone had the same problem?
    How can I manage to make an initframfs with nouveau module?
    Thank you!
    David

    Read the wiki page again. Nouveau is a module, not a hook, and belongs in the MODULES array.
    edit: Note to self: reload before posting.
    Last edited by Stebalien (2011-04-13 13:33:22)

Maybe you are looking for