Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
ssh-agent and cryptsetup
gentoo at lakedaemon
Jul 12, 2006, 6:22 AM
Post #1 of 5 (2649 views)
Permalink
The subject kinda says it all. I've been hunting around for an
automated solution to backing up my encrypted home directory to a remote
server through ssh. Obviously, the backup is also an encrypted volume.

Is there an existing solution to getting cryptsetup to use ssh-agent
for the volume key?

The end result would put my ssh private key on a thumbdrive (password
protected). Logging in would decrypt local homedir, and rsync with
remote encrypted homedir. Logging out would rsync push changes up to
remote encrypted home dir and tear down all encrypted volumes and
ssh-agent.

So far, I've found the articles on encrypted home dirs with dm-crypt,
using a thumbdrive to hold the key (various solutions), pam-ssh to
automatically fire up ssh-agent using the private key password to log in
(limited success with that). But nothing regarding using ssh-agent to
decrypt a volume.

Any ideas?

Jason.
--
gentoo-security@gentoo.org mailing list
Re: ssh-agent and cryptsetup [ In reply to ]
gentoolists at wonderclown
Jul 12, 2006, 7:24 AM
Post #2 of 5 (2578 views)
Permalink
On Wed, Jul 12, 2006 at 09:22:13AM -0400, Jason wrote:
> The subject kinda says it all. I've been hunting around for an
> automated solution to backing up my encrypted home directory to a remote
> server through ssh. Obviously, the backup is also an encrypted volume.
[...]

Have you considered backing up the block device that underlies your
encrypted volume instead of trying to back up the files on the
filesystem? You don't need to decrypt and re-encrypt it in that case;
you just back up the raw (encrypted) block device using rsync (over
ssh, just to provide secure authentication). If the block device
happens to be managed by LVM, you can use LVM's snapshot feature to
get a consistent image of the device. Otherwise, you'd have to make
sure the filesystem is unmounted or mounted read-only during the
backup.

--
Randall
--
gentoo-security@gentoo.org mailing list
Re: ssh-agent and cryptsetup [ In reply to ]
gentoo at lakedaemon
Jul 12, 2006, 8:00 AM
Post #3 of 5 (2577 views)
Permalink
Randall Nortman (gentoolists@wonderclown.com) wrote:
> On Wed, Jul 12, 2006 at 09:22:13AM -0400, Jason wrote:
> > The subject kinda says it all. I've been hunting around for an
> > automated solution to backing up my encrypted home directory to a remote
> > server through ssh. Obviously, the backup is also an encrypted volume.
>
> Have you considered backing up the block device that underlies your
> encrypted volume instead of trying to back up the files on the
> filesystem? You don't need to decrypt and re-encrypt it in that case;
> you just back up the raw (encrypted) block device using rsync (over
> ssh, just to provide secure authentication). If the block device
> happens to be managed by LVM, you can use LVM's snapshot feature to
> get a consistent image of the device. Otherwise, you'd have to make
> sure the filesystem is unmounted or mounted read-only during the
> backup.

I'd considered that, unfortunately, three issues arose. One, I've
earmarked 20 GB for my encrypted homedir for plenty of growth. It's
currently over 4 GB of stuff I actually want there. Two, even if I
shrink it, I can't assume I'll always have a fat pipe from my laptop.
And three, I want user login to still be as quick and transparent as
possible. Since very little changes in my homedir from one login to the
next, rsyncing the data inside makes much more sense.

I'm currently looking at the openssh API to ssh-agent and once I have
that figured out I'll take a look at wedging it into cryptsetup. Not
sure from a crypto perspective if that approach is tight, but I'll carry
on till I'm told otherwise. :)

Jason.
--
gentoo-security@gentoo.org mailing list
Re: ssh-agent and cryptsetup [ In reply to ]
gentoo-security at alex
Jul 13, 2006, 3:41 AM
Post #4 of 5 (2576 views)
Permalink
Can't you use rsync on the raw encrypted volume since linux disk
encryption is block-based?

My understanding is that rsync also works equally well for syncing a
single large file where little of it has changed.

Just an idea,

-Alex

On Wed, 12 Jul 2006, Jason wrote:

> Randall Nortman (gentoolists@wonderclown.com) wrote:
>
> I'd considered that, unfortunately, three issues arose. One, I've
> earmarked 20 GB for my encrypted homedir for plenty of growth. It's
> currently over 4 GB of stuff I actually want there. Two, even if I
> shrink it, I can't assume I'll always have a fat pipe from my laptop.
> And three, I want user login to still be as quick and transparent as
> possible. Since very little changes in my homedir from one login to the
> next, rsyncing the data inside makes much more sense.
>
> I'm currently looking at the openssh API to ssh-agent and once I have
> that figured out I'll take a look at wedging it into cryptsetup. Not
> sure from a crypto perspective if that approach is tight, but I'll carry
> on till I'm told otherwise. :)
>
> Jason.
> --
> gentoo-security@gentoo.org mailing list
>
>
--
gentoo-security@gentoo.org mailing list
Re: ssh-agent and cryptsetup [ In reply to ]
RonnyPeine at gmx
Jul 13, 2006, 4:13 AM
Post #5 of 5 (2585 views)
Permalink
Hi,

it would also be possible to write a script which mounts the crypted devices
before rsync starts and unmounts it after it. The whole backup logic could be
put in there too. This would lead to an automatism which minimizes your work.

cu,
Ronny

Am Mittwoch, 12. Juli 2006 15:22 schrieb Jason:
> The subject kinda says it all. I've been hunting around for an
> automated solution to backing up my encrypted home directory to a remote
> server through ssh. Obviously, the backup is also an encrypted volume.
>
> Is there an existing solution to getting cryptsetup to use ssh-agent
> for the volume key?
>
> The end result would put my ssh private key on a thumbdrive (password
> protected). Logging in would decrypt local homedir, and rsync with
> remote encrypted homedir. Logging out would rsync push changes up to
> remote encrypted home dir and tear down all encrypted volumes and
> ssh-agent.
>
> So far, I've found the articles on encrypted home dirs with dm-crypt,
> using a thumbdrive to hold the key (various solutions), pam-ssh to
> automatically fire up ssh-agent using the private key password to log in
> (limited success with that). But nothing regarding using ssh-agent to
> decrypt a volume.
>
> Any ideas?
>
> Jason.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal