Comment 0 for bug 133520

Revision history for this message
TJ (tj) wrote : hal: Patch to auto-mount LUKS key-file encrypted volumes

Binary package hint: hal

Feisty + Gnome, gnome-mount

With a LUKS encrypted volume on an external device, when the device is connected gnome-volume-manager calls gnome-mount which prompts for the encrypted volume password.

If the volume is *only* protected by a key-file gnome-mount fails and "sudo cryptsetup luksOpen /dev name --key-file file.key" needed to be run manually.

As a first step to providing full support for key-files I have modified the hal script:

/usr/lib/hal/scripts/linux/hal-luks-setup-linux

I am working on a modification to gnome-mount too so it won't prompt for a password if a valid key-file is available.

Once the patched script is installed, when plugging in a LUKS encrypted volume gnome-mount will *still* ask you for a password but you can type in anything (it will be ignored) and press Enter. gnome-mount will execute the hal script which will check for a key-file and use it if found. If there is no matching key-file the script will try to use the password as before.

If you save the password you typed either for the session, or forever, you won't get the password prompt again unless the key-file isn't found.

I've added functionality at the start of the script to check /etc/crypttab and match it against the argument passed to gnome-mount by gnome-volume-manager, e.g:

     --hal-udi=/org/freedesktop/Hal/devices/volume_uuid_a86ed2d8_4868_4a32_92af_fcce82d0696d

The entry in /etc/crypttab *must* use the UUID in the device column. like this, for the script to work:

# <target name> <source device> <key file> <options>
mobile120 /dev/disk/by-uuid/408e7dbc-1cad-4eff-9a06-1b1f9f60d22a /media/key3/disk.key luks

The script will match the UUID, get the target name and the key-file, and call cryptsetup luksOpen.

----- /usr/lib/hal/scripts/linux/hal-luks-setup-linux -----------------

#!/bin/bash

# Copyright (C) 2005 W. Michael Petullo <email address hidden>
# Copyright (C) 2006 David Zeuthen <email address hidden>
# Copyright (C) 2007 TJ <email address hidden>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2.

CRYPTSETUP=/sbin/cryptsetup

# detect key-file protected volume
LUKS="`grep \"${HAL_PROP_VOLUME_UUID#*_uuid_}\" /etc/crypttab | awk '{print $0}'`"
MAPPER="`echo $LUKS | awk '{print $1}'`"
DEVICE="`echo $LUKS | awk '{print $2}'`"
KEYFILE="`echo $LUKS | awk '{print $3}'`"

# if there is a key-file, attempt to open the LUKS device with it
if [ "x${KEYFILE}" != "x" ]; then
   if ! $CRYPTSETUP luksOpen $DEVICE $MAPPER --key-file $KEYFILE 2> /dev/null; then
    echo org.freedesktop.Hal.Device.Volume.Crypto.SetupPasswordError >&2
    echo "Error setting up $HAL_PROP_BLOCK_DEVICE - bad key-file?" >&2
    exit 1
   fi
else

read PASSWORD

if [ ! -f $CRYPTSETUP ]; then
    echo org.freedesktop.Hal.Device.Volume.Crypto.CryptSetupMissing >&2
    echo Error setting up $HAL_PROP_BLOCK_DEVICE - $CRYPTSETUP not found >&2
    exit 1
fi

if [ -e /dev/mapper/luks_crypto_$HAL_PROP_VOLUME_UUID ]; then
    echo org.freedesktop.Hal.Device.Volume.Crypto.SetupError >&2
    echo $HAL_PROP_BLOCK_DEVICE is already setup? >&2
    exit 1
fi

if ! echo "$PASSWORD" | $CRYPTSETUP luksOpen $HAL_PROP_BLOCK_DEVICE luks_crypto_$HAL_PROP_VOLUME_UUID 2> /dev/null; then
    echo org.freedesktop.Hal.Device.Volume.Crypto.SetupPasswordError >&2
    echo Error setting up $HAL_PROP_BLOCK_DEVICE - bad password? >&2
    exit 1
fi

fi

hal-set-property --udi=$UDI --key="info.callouts.remove" --strlist-pre="hal-luks-remove" > /dev/null 2>&1

exit 0