A simple script to request a key for encrypted volumes on boot using Gammu.
I use this piece of code to supply my keys to my encrypted LVM2 volumes. You need to have a mobile connected to your server (either by USB, Bluetooth or RS232) and have Gammu configured for it.
Put this in e.g. /etc/init.d/smskey and set up the corresponding run-level-links in /etc/rcS.d manually or use the tools supplied by your distribution (chkconfig, update-rc.d, ...).
#! /bin/sh ### BEGIN INIT INFO # Provides: smskey # Required-Start: checkroot # Required-Stop: umountroot # Should-Start: udev devfsd raid2 mdadm lvm # Should-Stop: # Default-Start: S # Default-Stop: 0 6 # Short-Description: Setup encrypted block devices. # Description: ### END INIT INFO # Set this value according to the inbox folder on the phone memory. # For SonyEricsson it's 3 for example. # The value can be obtained from the first row of `gammu getsmsfolders`. FOLDER=3 # Location of gammu binary. GAMMU=/usr/bin/gammu DESTINATION="" # Gammu binary is not present -> exit [ ! -x ${GAMMU} ] && exit . /lib/lsb/init-functions case "$1" in start) log_action_begin_msg "Starting SMS key request " # Indicate if we found a SMS containing the key. FOUND=0 # Send SMS to admin. echo "Reboot" |${GAMMU} sendsms TEXT ${DESTINATION} 2>&1 >/dev/null rm -f /lib/init/rw/smskey-* while [ "${FOUND}" = "0" ]; do KEYS=$(LC_ALL=C ${GAMMU} geteachsms 2>/dev/null |grep "^KEY:") ${GAMMU} deleteallsms ${FOLDER} 2>&1 >/dev/null if [ ! -z "${KEYS}" ]; then for LINE in ${KEYS}; do KEYPIPE=/lib/init/rw/smskey-\ $(echo ${LINE} |awk -F ':' '{ print $2 }') KEYVALUE=$(echo ${LINE} |awk -F ':' '{ print $3 }') [ ! -p ${KEYPIPE} ] && mkfifo -m 0600 ${KEYPIPE} nohup echo ${KEYVALUE} >${KEYPIPE} & done FOUND=1 else echo -n "." sleep 10 fi done echo "Done" |${GAMMU} sendsms TEXT ${DESTINATION} 2>&1 >/dev/null echo -n " " log_action_end_msg $? ;; stop) ;; *) echo "Usage: $0 {start|stop}" exit 1 ;; esac
Remember to change the number of your mobile on which you want to receive the request for the key.
Run /etc/init.d/smskex start
to check if it works. You will receive a short message saying "reboot" (this can be customized in the script). Now reply to this message with the following text:
KEY:home:ieShiaz6rieth1paijonuuk3EeJi7joo
KEY:data:eexeey1Aic4ohnai8iph1sheiph4que2
The format of the message should be:
KEY:
The script supports more than one key in one reply message.
This will supply the keys for two volumes and create the corresponding FIFO pipes: /lib/init/rw/smskey-home /lib/init/rw/smskey-data
They can now be used in /etc/crypttab: home /dev/md0 /lib/init/rw/smskey-home cipher=serpent-cbc-essiv:sha256 data /dev/sda1 /lib/init/rw/smskey-data cipher=aes-cbc-essiv:sha256
This will create the two unencrypted blockdevices which can now be mounted: /dev/mapper/home /dev/mapper/data
The usage of FIFO pipes for key storage allows only one read so each volume to get decrypted needs it's own key.