stupidpupil / https-keyscript Goto Github PK

• At some point, OpenSSL changed the default hash from MD5 to SHA256
• Wget's library requirements are different. Perhaps a better approach is required?

wget and curl are comparable, but curl has I nice option: --dns-servers, with which you can specify the dns resolvers. With curl you wouldn't have to configure resolv.conf in initramfs anymore.

The booting mechanism is quiet different on systems like the raspberry pis. The correct time isn't yet set, so the ssl certificates of remote https servers will be invalid.

BusyBox v1.30.1 (Raspbian 1:1.30.1-4) built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # /usr/bin/real_wget https://domain.tld
--1970-01-01 00:01:13--  https://domain.tld/
Resolving domain.tld (domain.tld)... 85.195.238.97
Connecting to domain.tld (domain.tld)|85.195.238.97|:443... connected.
ERROR: The certificate of 'domain.tld' is not trusted.
ERROR: The certificate of 'domain.tld' doesn't have a known issuer.
ERROR: The certificate of 'domain.tld' is not yet activated.
The certificate has not yet been activated

Simple workaround is to add an --no-check-certificate to the wget command in wget_or_ask. A more sophisticated workaround would be setting the correct time in initramfs.

Using Ubuntu Server 16.04 LTS I got stucked at point 4: Every time I enter the command line "busybox sh..." I get the error "sh: bad number", is there something wrong with the regex-expression inside the script ?

root@ubuntu:~# busybox sh /lib/cryptsetup/scripts/wget_or_ask "mypassword:http://www.my-domain.at/encrypted_keyfile" > unencrypted_keyfile
sh: bad number
Getting passphrase remotely failed for . Enter passphrase: **

Adding parameter -x to sh results in:

root@ubuntu:~# busybox sh -x /lib/cryptsetup/scripts/wget_or_ask "mypassword:http://www.my-domain.at/encrypted_keyfile" > unencrypted_keyfile
+ use_keyring=1
+ use_https=1
+ [ -z ]
+ CRYPTTAB_KEY=mypassword:http://www.my-domain.at/encrypted_keyfile
+ sedRegex=^\(.\+\):\(https:\/\/.\+\)$
+ echo mypassword:http://www.my-domain.at/encrypted_keyfile
+ sed -n -e s/^\(.\+\):\(https:\/\/.\+\)$/\1/p
+ openssl_passphrase=
+ echo mypassword:http://www.my-domain.at/encrypted_keyfile+ sed -n -e s/^\(.\+\):\(https:\/\/.\+\)$/\2/p

+ url=
+ keyctl_id=crypttab:mypassword:http://www.my-domain.at/encrypted_keyfile
+ [ -gt 0 ]
sh: bad number
+ [ ! -x /bin/keyctl ]
+ [ -z ]
+ use_https=0
+ use_plymouth=0
+ [ -x /bin/plymouth ]
+ plymouth --ping
+ keyctl_try_fetch
+ [ 1 -eq 0 ]
+ keyctl search @u user crypttab:mypassword:http://www.my-domain.at/encrypted_keyfile
+ kSerial=keyctl_search: Required key not available
+ exitCode=1
+ [ 1 -eq 0 ]
+ [ 1 -ne 1 ]
+ https_try_fetch
+ [ 0 -eq 0 ]
+ return 0
+ askpass Getting passphrase remotely failed for . Enter passphrase:
+ [ ! -z ]
+ [ 0 -eq 1 ]
+ /lib/cryptsetup/askpass Getting passphrase remotely failed for . Enter passphrase: Getting passphrase remotely failed for . Enter passphrase: **

root@ubuntu:~#

• Assumes eth0 as the relevant networking interface (which it won't be on any Ubuntu system at least)
• Assumes DHCP configuration

Looks as though BusyBox is clobbering /usr/bin/wget under Buster.

sorry for some questions about the script, i dont have much experience with codes on github.
First of all i'm not sure about the changes in the crypttab file. Before installing the script this file looked as this:

# old version without https-keyscript sda6_crypt UUID=5ed84861-73f9-4e2a-bf56-359c2142e717 none luks,discard

How to implement step 5? Is it something like this?

# new WITH https-keyscript
sda6_crypt UUID=5ed84861-73f9-4e2a-bf56-359c2142e717 none luks,discard,keyscript=wget_or_ask,initramfs somepassphrase:https://example.org/encrypted_keyfile

Is there something missing before "somepassphrase:...", e.g. a field name like "key file" or something?

Further i have a question about the fall back to ask for a pw if the keyfile is not found. Is the pw "somepassphrase" meant or another pw from another luks keyslot? Must "somepassphrase" be changed to the pw i would like to use or is it a field or option name?

I use the keyscript not on a server, but on my home desktop computer which is connected to the internet by wifi. Is there already on boot up a wifi connection so the script can query by https?

Thanks for helping a beginner :)

Current script returns:

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

Why not using openssl defaults? Ending up with:

decrypted_keyfile=$(echo "$encrypted_keyfile" | openssl enc -base64 -d -salt -k "$openssl_passphrase")

sh expect $CRYPTTAB_TRIED (if [ "$CRYPTTAB_TRIED" -gt 0 ]; then) to be set so the following fails:

busybox sh /lib/cryptsetup/scripts/wget_or_ask "somepassphrase:https://example.org/encrypted_keyfile" > unencrypted_keyfile

the following works (but without passing by busybox):
CRYPTTAB_TRIED=0 /lib/cryptsetup/scripts/wget_or_ask "somepassphrase:https://example.org/encrypted_keyfile" > unencrypted_keyfile