Supply encryption Key with your Mobile

← open2300 1.10-1.2 | posts | MaNGOS 0.0.5772 →

?Documentation

A simple script to request a key for encrypted volumes on boot using Gammu.

I use this piece of code to supply my keys to my encrypted LVM2 volumes. You need to have a mobile connected to your server (either by USB, Bluetooth or RS232) and have Gammu configured for it.

Put this in e.g. /etc/init.d/smskey and set up the corresponding run-level-links in /etc/rcS.d manually or use the tools supplied by your distribution (chkconfig, update-rc.d, ...).

#! /bin/sh
### BEGIN INIT INFO
# Provides:          smskey
# Required-Start:    checkroot
# Required-Stop:     umountroot
# Should-Start:      udev devfsd raid2 mdadm lvm
# Should-Stop:
# Default-Start:     S
# Default-Stop:      0 6
# Short-Description: Setup encrypted block devices.
# Description:
### END INIT INFO

# Set this value according to the inbox folder on the phone memory.
# For SonyEricsson it's 3 for example.
# The value can be obtained from the first row of `gammu getsmsfolders`.
FOLDER=3

# Location of gammu binary.
GAMMU=/usr/bin/gammu

DESTINATION=""

# Gammu binary is not present -> exit
[ ! -x ${GAMMU} ] && exit

. /lib/lsb/init-functions

case "$1" in
start)
log_action_begin_msg "Starting SMS key request "
# Indicate if we found a SMS containing the key.
FOUND=0
# Send SMS to admin.
echo "Reboot" |${GAMMU} sendsms TEXT ${DESTINATION} 2>&1 >/dev/null
rm -f /lib/init/rw/smskey-*
while [ "${FOUND}" = "0" ]; do
KEYS=$(LC_ALL=C ${GAMMU} geteachsms 2>/dev/null |grep "^KEY:")
${GAMMU} deleteallsms ${FOLDER} 2>&1 >/dev/null
if [ ! -z "${KEYS}" ]; then
for LINE in ${KEYS}; do
KEYPIPE=/lib/init/rw/smskey-\
$(echo ${LINE} |awk -F ':' '{ print $2 }')
KEYVALUE=$(echo ${LINE} |awk -F ':' '{ print $3 }')
[ ! -p ${KEYPIPE} ] && mkfifo -m 0600 ${KEYPIPE}
nohup echo ${KEYVALUE} >${KEYPIPE} &
done
FOUND=1
else
echo -n "."
sleep 10
fi
done
echo "Done" |${GAMMU} sendsms TEXT ${DESTINATION} 2>&1 >/dev/null
echo -n " "
log_action_end_msg $?
;;
stop)
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac

Remember to change the number of your mobile on which you want to receive the request for the key. Run /etc/init.d/smskex start to check if it works. You will receive a short message saying "reboot" (this can be customized in the script). Now reply to this message with the following text: KEY:home:ieShiaz6rieth1paijonuuk3EeJi7joo KEY:data:eexeey1Aic4ohnai8iph1sheiph4que2

The format of the message should be: KEY::

The script supports more than one key in one reply message.

This will supply the keys for two volumes and create the corresponding FIFO pipes: /lib/init/rw/smskey-home /lib/init/rw/smskey-data

They can now be used in /etc/crypttab: home /dev/md0 /lib/init/rw/smskey-home cipher=serpent-cbc-essiv:sha256 data /dev/sda1 /lib/init/rw/smskey-data cipher=aes-cbc-essiv:sha256

This will create the two unencrypted blockdevices which can now be mounted: /dev/mapper/home /dev/mapper/data

The usage of FIFO pipes for key storage allows only one read so each volume to get decrypted needs it's own key.

←	Jul 2016					→
S	M	T	W	T	F	S
					1	2
3	4	5	6	7	8	9
10	11	12	13	14 Browse Avahi services through DBUS using PyQt5 and QtDbus	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31