tresor-scripts contains a bundle of helper scripts for a comfortable handling of luks-encrypted partitions (in particular on external media) made for debian systems. It makes possible to use various luks-encrypted partitions on a system but typing only once a passphrase on startup.
It is free homebuild software without any warranty. You can download it here.
Feedback is welcome.
To install tresor-scripts use
# dpkg -i tresor-scripts_..._all.deb
The package grml-scanpartitions is required. You can get it from the the debian package repository of grml.org or from the download-section of this page.
The easiest
way to configure tresor-scripts for the further use is to open all luks-partitions and mount them to the positions
in the directory-tree, where you want to find them in future. Then take the # tresor-init [path_to_keyfiles
(default:/var/.keyfiles)] script to build the /etc/crypttab-extra for the further use. Be attentive that
the path to the keyfiles directs in a encrypted partition.
If you don't want to use keyfiles, you must edit
the /etc/crypttab-extra by hand: In this case put none in the keyfiles-row.
See also the example at the bottom of this page.
The tresor-scripts-package contains:
tresor [cryptodevicename (default: tresor)]
opens and mounts the device with cryptodevicename according to /etc/crypttab-extra
untresor [cryptodevicename (default: tresor)]
unmounts and closes the dm_crypted device with cryptodevicename
tresor-all
opens and mounts all devices according to /etc/crypttab-extra
untresor-all
unmounts and closes all unused dm_crypted devices
tresor-init [path_to_keyfiles (default:/var/.keyfiles)]
generates /etc/crypttab-extra file for all luks-encrypted partitions that could be found on the running system and that are not already configured via /etc/crypttab or /etc/crypttab-extra
scancryptopartitions
gives a table with all open luks-encrypted devices with cryptodevicename and mountpoint
This package installs and activates an init-script for tresor-all in System V style with sequence number S65.
THANKS to sigi for testing the scripts.
If you put
# <cryptodevicename> <uuid> <keyfile> <mountpoint>
tresor 521b90d0-2aaf-4b50-9423-83e1af453ea1 /var/.keyfiles/tresor.key /mnt/tresor
mobil1 580e94ef-8dbc-44f8-8caa-15aed65ea4d3 /var/.keyfiles/mobil1.key /mnt/mobil1
mobil2 8d3ee87a-db3d-4f3b-8293-c5e4d0efab41 /var/.keyfiles/mobil2.key /mnt/mobil2
mobil3 098e1daf-870d-46e7-8895-d267ea32aa12 /var/.keyfiles/mobil3.key /mnt/mobil3
usb 0a8ecf95-d27a-4f2a-a674-83654ab64bb0 none /media/usbdisk
in the /etc/crypttab-extra, the tresor scripts try to luks-open the partition with the
uuid 521b90d0-2aaf-4b50-9423-83e1af453ea1 using the keyfile /var/.keyfiles/tresor1.key and mount it
to /mnt/tresor. In this example tresor could refer to a local data-partition and mobil1,
mobil2 and mobil3 to partitions on an external harddisk. For usb does not exist a
keyfile, so in case that this partition is connected, you must give the passphrase.
Beside the last
line this /etc/crypttab-extra was produced by tresor-init, that also generated the keyfiles. If
you need to get the uuids of your system, you can use the blkid-command.
Of course in this example /var/.keyfiles must direct in a encrypted partition. You can use the /etc/crypttab and the /etc/fstab to manage this. So for this example the /etc/crypttab contains the line
var /dev/hda1 none luks
and the /etc/fstab
/dev/mapper/var /var ext3 defaults 0 2
