--- pam_mount-0.10.0/config/pam_mount.conf~ 2005-11-17 18:29:49.000000000 -0200 +++ pam_mount-0.10.0/config/pam_mount.conf 2005-12-09 10:40:44.000000000 -0200 @@ -140,6 +140,23 @@ # volume user crypt - /dev/sda2 /home/user cipher=aes aes-256-ecb /home/user.key +# +# dm_crypt with smart card support example (need to have opensc installed and configured +# and with pkcs15-crypt supporting reading PIN from <stdin>): +# volume user crypt - /dev/sda2 /home/user sc_key_id=45,sc_key_file=/etc/cryptsetup.key - - +# +# where: +# sc_key_id: ID of the private key stored in the smart card which will +# decrypt the key file +# sc_key_file: file which contains the filesystem key. This file is encrypted with the +# public key associated with the private sc_key_id +# +# sample command to encrypt cryptsetup.clear into cryptsetup.key with the smart card +# using key id 45: +# openssl rsautl -in cryptsetup.clear -out cryptsetup.key -engine pkcs11 -keyform engine \ +# -encrypt -inkey 45 -pubin +# + # cryptoloop mounts require a kernel with CONFIG_BLK_DEV_CRYPTOLOOP enabled. # cryptoloop mounts must be in the global config /etc/security/pam_mount.conf # Linux encrypted home directory examples, using cryptoloop: --- pam_mount-0.10.0/scripts/mount.crypt.orig 2005-12-09 10:35:03.000000000 -0200 +++ pam_mount-0.10.0/scripts/mount.crypt 2005-12-09 10:35:27.000000000 -0200 @@ -30,6 +30,7 @@ CRYPTSETUP=/sbin/cryptsetup MOUNT=/bin/mount FSCK="/sbin/fsck"; +PKCS15_CRYPT=/usr/bin/pkcs15-crypt OPTIONS="" FSTYPE=""; @@ -117,6 +118,12 @@ fsck) DOFSCK=true; ;; + sc_key_id) + SC_KEY_ID="$VAL" + ;; + sc_key_file) + SC_KEY_FILE="$VAL" + ;; * ) if [ -z "$MOUNTOPTIONS" ]; then MOUNTOPTIONS="$opt" @@ -146,7 +153,12 @@ # Check for LUKS if "$CRYPTSETUP" isLuks "$DEVICE" 2>/dev/null; then LUKS=true; - "$CRYPTSETUP" luksOpen "$DEVICE" "$DMDEVICE"; + if [ -n "$SC_KEY_ID" ]; then + $PKCS15_CRYPT --pkcs1 --decipher -k $SC_KEY_ID --raw -i $SC_KEY_FILE -p - | \ + "$CRYPTSETUP" luksOpen "$DEVICE" "$DMDEVICE" --key-file /dev/stdin; + else + "$CRYPTSETUP" luksOpen "$DEVICE" "$DMDEVICE" + fi else LUKS=false; "$CRYPTSETUP" -c "${CIPHER:-aes}" -h "${HASH:-ripemd160}" \