Hi Jürgen, I have a LUKS credential-caching requirement that TokenTube may be able to help me with.

Essentially I have a number of hot-swap LUKS encrypted hard drives that currently require manual passphrase entry on each insertion.

What I'd like is for the passphrase to be entered once at boot time, and then somehow be securely cached for future automated unlocking for each drive inserted, until such time as the machine reboots.

Is this something I could accomplish with TokeTube?

Jason,

TokenTube doesn't currently support that functionality - but that's not to say that it won't be implmemented. Let me think about the technical ramifications for a while and I'll contact you once I've reached a conclusion on this matter.

Jürgen

Jason,

I've decided not to implement this feature in TokenTube. It just doesn't seem like this should be part of a "core" tokentube version.

My best advice to solving your "problem" is to write a script that gets invoked by udev/hal/devicekit which reads tokentube's keyfile (/etc/tokentube/luks.key) and uses it to cryptsetup the newly plugged in disk drive.

Jürgen

Hi Jürgen,
thanks for your response.

We ended up doing something similar.
As we already have scripts for mounting the devices we simply added the LUKS
--keyfile=path-to-key option, and pointed to a keyfile that gets decrypted once at boot time.

This keyfile is stored in a tmpfs backed directory so it get deleted if the machine is rebooted.

cheers,
Jason