--- pam_mount-0.48/scripts/mount.crypt 2007-10-20 07:57:03.000000000 -0700 +++ pam_mount-0.48/scripts/mount.crypt.new 2008-02-12 22:27:48.000000000 -0800 @@ -108,6 +108,8 @@ (hash) HASH="$VAL";; (fstype) FSTYPE="$VAL";; (fsck) DOFSCK="true";; + (sc_key_id) SC_KEY_ID="$VAL";; + (sc_key_file) SC_KEY_FILE="$VAL";; (keyfile) keyfile="$VAL";; (loop) @@ -149,7 +151,10 @@ # Check for LUKS if cryptsetup isLuks "$DEVICE" 2>/dev/null; then LUKS=true; - if [ -z "$keyfile" ]; then + if [ -n "$SC_KEY_ID" ]; then + pkcs15-crypt --pkcs1 --decipher -k $SC_KEY_ID --raw -i $SC_KEY_FILE -p - | \ + cryptsetup luksOpen "$DEVICE" "$DMDEVICE" --key-file /dev/stdin; + elif [ -z "$keyfile" ]; then cryptsetup luksOpen $luks_ro "$DEVICE" "$DMDEVICE"; else cryptsetup luksOpen $luks_ro -d "$keyfile" "$DEVICE" "$DMDEVICE"; --- pam_mount-0.48/doc/pam_mount.conf.5~ 2008-09-11 04:07:28.000000000 +0200 +++ pam_mount-0.48/doc/pam_mount.conf.5 2008-09-14 04:03:45.000000000 +0200 @@ -402,6 +402,21 @@ .PP <volume path="/home/%(USER).img" mountpoint="~" options="cipher-fskeycipher="aes\-256\-cbc" fskeypath="/etc/ehd/%(USER)" /> +.PP +dm_crypt with smart card support example (need to have opensc installed and configured +and with pkcs15-crypt supporting reading PIN from <stdin>): +.PP +volume user crypt - /dev/sda2 /home/user sc_key_id=45,sc_key_file=/etc/cryptsetup.key - - +.PP +.PP +where: +.PP +sc_key_id: ID of the private key stored in the smart card which will decrypt the key file +sc_key_file: file which contains the filesystem key. This file is encrypted with the public key associated with the private sc_key_id +.PP +sample command to encrypt cryptsetup.clear into cryptsetup.key with the smart card using key id 45: +openssl rsautl -in cryptsetup.clear -out cryptsetup.key -engine pkcs11 -keyform engine \ + -encrypt -inkey 45 -pubin .SS cryptoloop volumes .PP cryptoloop mounts require a kernel with CONFIG_BLK_DEV_CRYPTOLOOP enabled.