{ "info": { "author": "Peter Odding", "author_email": "peter@peterodding.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 5 - Production/Stable", "Environment :: Console", "Intended Audience :: Information Technology", "Intended Audience :: System Administrators", "License :: OSI Approved :: MIT License", "Operating System :: POSIX :: Linux", "Programming Language :: Python", "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.6", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.4", "Topic :: Security :: Cryptography", "Topic :: System :: Filesystems", "Topic :: System :: Systems Administration", "Topic :: Terminals", "Topic :: Utilities" ], "description": "crypto-drive-manager: Unlock all your encrypted drives with one pass phrase\n---------------------------------------------------------------------------\n\nThe ``crypto-drive-manager`` program allows you to safely, quickly and\nconveniently unlock an unlimited number of `LUKS encrypted devices`_ using a\nsingle pass phrase. You can think of it as a `key pass`_ for LUKS encrypted\ndevices. It works by creating a small (10 MB) encrypted file system inside a\nregular file (using a `loop device`_) and storing key files for the encrypted\ndevices of your choosing inside this encrypted file system. Each time you run\nthe program it temporarily unlocks the 10 MB encrypted file system and uses the\nkey files to unlock and mount encrypted devices that are present and not\nalready unlocked.\n\n.. contents::\n :local:\n\nInstallation\n------------\n\nThe `crypto-drive-manager` program is written in Python and is available on\nPyPI_ which means installation should be as simple as::\n\n $ pip install crypto-drive-manager\n\nThere's actually a multitude of ways to install Python packages (e.g. the `per\nuser site-packages directory`_, `virtual environments`_ or just installing\nsystem wide) and I have no intention of getting into that discussion here, so\nif this intimidates you then read up on your options before returning to these\ninstructions ;-).\n\nConfiguration\n-------------\n\nThe `crypto-drive-manager` program doesn't have a configuration file because\nit looks at your system configuration to infer what it should do. You need to\ncreate or change ``/etc/crypttab`` in order to enable `crypto-drive-manager`.\nAs an example here's my ``/etc/crypttab`` file::\n\n # \n internal-hdd UUID=626f4560-cf80-4ed9-b211-ac263b41ca67 none luks\n media-files UUID=6d413429-f8d1-4d8e-8a3a-075603b8efdd /mnt/keys/media-files.key luks,noauto\n mirror3 UUID=978d7a3a-c902-43e6-aa71-5654d406c247 /mnt/keys/mirror3.key luks,noauto\n mirror4 UUID=7a48e547-1dfa-4c6a-96e9-05842c87465d /mnt/keys/mirror4.key luks,noauto\n mirror5 UUID=ac6aa22a-0c32-4bd9-829a-75316177affb /mnt/keys/mirror5.key luks,noauto\n mirror6 UUID=00474636-6d6e-4ecc-a7d6-21b42d850ac6 /mnt/keys/mirror6.key luks,noauto\n mirror7 UUID=ec56dc10-1086-4f2b-808c-88995cb8b513 /mnt/keys/mirror7.key luks,noauto\n\nYou can see why I don't want to manage all of these encrypted devices manually\nby entering pass phrases for each of them :-). Even though my root device\n(``internal-hdd``) is also encrypted, storing key files to unlock my encrypted\ndevices on my root device doesn't feel right because the key files will be\nexposed at all times.\n\nYou tell `crypto-drive-manager` to manage an encrypted device by setting the\nkey file (the third field in ``/etc/crypttab``) to a file located under the\nmount point used by `crypto-drive-manager` ( ``/mnt/keys`` by default). Every\ntime you run `crypto-drive-manager` it parses ``/etc/crypttab`` to find and\nunlock managed devices. The ``UUID=...`` definition in ``/etc/crypttab`` is\nused to check if the physical device exists in ``/dev/disk/by-uuid``. Because\nof this a source device definition with a ``UUID=...`` value is required.\n\nEach physical device that exists is initialized, unlocked and mounted. Device\ninitialization happens when the key file for the encrypted device doesn't exist\nyet: The key file is created with 4 KB of random bytes and installed as a key\non the encrypted device.\n\nThe end result is a program that requires a single pass phrase to unlock a\nvirtual keys device containing key files used to unlock a group of encrypted\ndevices. Once the encrypted devices have been unlocked the virtual keys device\nis unmounted and the keys are no longer available (except in memory, which\ncannot be avoided to the best of my knowledge).\n\nUsage\n-----\n\n.. A DRY solution to avoid duplication of the `crypto-drive-manager --help' text:\n..\n.. [[[cog\n.. from humanfriendly.usage import inject_usage\n.. inject_usage('crypto_drive_manager.cli')\n.. ]]]\n\n**Usage:** `crypto-drive-manager [OPTIONS] [NAME, ..]`\n\nSafely, quickly and conveniently unlock an unlimited number of LUKS encrypted\ndevices using a single pass phrase.\n\nBy default all entries in /etc/crypttab that reference a key file located under\nthe mount point of the encrypted disk with key files are unlocked (as needed).\nTo unlock a subset of the configured devices you can pass one or more ``NAME``\narguments that match mapper name(s) configured in /etc/crypttab.\n\n**Supported options:**\n\n.. csv-table::\n :header: Option, Description\n :widths: 30, 70\n\n\n \"``-i``, ``--image-file=PATH``\",\"Set the pathname of the file that contains the encrypted disk image with\n key files (defaults to '/root/encryption-keys.img').\"\n \"``-n``, ``--mapper-name=NAME``\",\"Set the mapper device name for the encrypted disk with key files so that\n the device for the drive with key files will be created as\n '/dev/mapper/NAME' (defaults to 'encryption-keys').\"\n \"``-m``, ``--mount-point=PATH``\",\"Set the pathname of the mount point for the encrypted disk with key files\n (defaults to '/mnt/keys').\"\n ``--install-systemd-workaround``,\"Replace the systemd-cryptsetup-generator program with a wrapper that\n removes the 'RequiresMountsFor' option from the generated configuration\n files at /var/run/systemd/generator/\\*.service.\n\n Refer to the readme for more details about how this works.\"\n \"``-v``, ``--verbose``\",Increase logging verbosity (can be repeated).\n \"``-q``, ``--quiet``\",Decrease logging verbosity (can be repeated).\n \"``-h``, ``--help``\",Show this message and exit.\n\n.. [[[end]]]\n\nProblems\n--------\n\nWhen I upgraded my personal server to Ubuntu 16.04 and rebooted the system I\nwas immediately bitten by `systemd issue #3816`_: When any of the encrypted\ndrives managed by `crypto-drive-manager` are affected by this issue then\nunmounting of the keys device will cause systemd to immediately unmount and\nlock those encrypted drives.\n\nMy initial workaround for this issue (released in crypto-drive-manager 2.0) was\nto simply leave the virtual keys device unlocked and mounted, but of course\nthis went straight against how `crypto-drive-manager` was originally designed\nand intended to work.\n\nIn crypto-drive-manager 3.0 I implemented and released a real workaround:\n\n1. The command ``crypto-drive-manager --install-systemd-workaround`` replaces\n ``/lib/systemd/system-generators/systemd-cryptsetup-generator`` with a\n symbolic link to the `crypto-drive-manager` program. The original\n generator program is renamed so that it remains accessible.\n\n2. When ``systemctl daemon-reload`` is run it calls `crypto-drive-manager`\n by following the symbolic link (without realizing it of course).\n\n3. By checking the value of ``sys.argv[0]`` the `crypto-drive-manager`\n program can determine whether it's being run by ``systemd``.\n\n4. In this case `crypto-drive-manager` will first run the original generator\n program and then it will rewrite the generated service files located in\n ``/var/run/systemd/generator`` to remove ``RequiresMountsFor`` fields.\n\n5. By the time ``systemd`` rereads its configuration files the\n ``RequiresMountsFor`` fields have already been removed.\n\n6. Because ``crypto-drive-manager`` automatically detects the presence or\n absence of problematic ``RequiresMountsFor`` fields it will detect its own\n workaround and properly lock the virtual keys device after use.\n\n7. Profit! :-P\n\nTo be honest all of this started as a thought experiment with me trying to\nverify my understanding of the problem and what would be involved to fix it.\nOnce I realized that my (nasty! I know) workaround was actually effective I\ndecided I might as well publish it. I do actually use this workaround on my\npersonal server (for whatever that's worth).\n\nContact\n-------\n\nThe latest version of `crypto-drive-manager` is available on PyPI_ and\nGitHub_. For bug reports please create an issue on GitHub_. If you have\nquestions, suggestions, etc. feel free to send me an e-mail at\n`peter@peterodding.com`_.\n\nLicense\n-------\n\nThis software is licensed under the `MIT license`_.\n\n\u00a9 2017 Peter Odding.\n\n.. External references:\n.. _GitHub: https://github.com/xolox/python-crypto-drive-manager\n.. _key pass: http://en.wikipedia.org/wiki/Password_manager\n.. _loop device: http://en.wikipedia.org/wiki/Loop_device\n.. _LUKS encrypted devices: http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup\n.. _MIT license: http://en.wikipedia.org/wiki/MIT_License\n.. _per user site-packages directory: https://www.python.org/dev/peps/pep-0370/\n.. _peter@peterodding.com: mailto:peter@peterodding.com\n.. _PyPI: https://pypi.python.org/pypi/crypto-drive-manager\n.. _systemd issue #3816: https://github.com/systemd/systemd/issues/3816\n.. _virtual environments: http://docs.python-guide.org/en/latest/dev/virtualenvs/\n\n\n", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/xolox/python-crypto-drive-manager", "keywords": "", "license": "", "maintainer": "", "maintainer_email": "", "name": "crypto-drive-manager", "package_url": "https://pypi.org/project/crypto-drive-manager/", "platform": "", "project_url": "https://pypi.org/project/crypto-drive-manager/", "project_urls": { "Homepage": "https://github.com/xolox/python-crypto-drive-manager" }, "release_url": "https://pypi.org/project/crypto-drive-manager/3.0/", "requires_dist": [ "coloredlogs (>=7.3.1)", "executor (>=1.6)", "humanfriendly (>=1.36)", "linux-utils (>=0.3)", "verboselogs (>=1.7)", "enum34 (>=1.1.6); python_version == \"2.6\" or python_version == \"2.7\" or python_version == \"3.0\" or python_version == \"3.1\" or python_version == \"3.2\" or python_version == \"3.3\"" ], "requires_python": "", "summary": "Unlock all your encrypted drives with one pass phrase.", "version": "3.0" }, "last_serial": 3498910, "releases": { "1.0": [ { "comment_text": "", "digests": { "md5": "a49fca1e232c3c7e8f6b280157687b49", "sha256": "1f685c121a2fc827b60a19f5fde294d08f88d2eb452b11c0ff3eb7161c098583" }, "downloads": -1, "filename": "crypto-drive-manager-1.0.tar.gz", "has_sig": false, "md5_digest": "a49fca1e232c3c7e8f6b280157687b49", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8426, "upload_time": "2015-02-21T01:51:48", "url": "https://files.pythonhosted.org/packages/1f/dc/62c63b6e4f613c098e51c1b633a20cd7968031ce8c3d2a486b0505a20dd6/crypto-drive-manager-1.0.tar.gz" } ], "2.0": [ { "comment_text": "", "digests": { "md5": "2d6525644999a64f11dc9542466f151d", "sha256": "c05e63ece2b4cc44e34ac7ebbf8bc6d0ddbfe824e344d7e36b2c8c8b341ec9d3" }, "downloads": -1, "filename": "crypto_drive_manager-2.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "2d6525644999a64f11dc9542466f151d", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 14324, "upload_time": "2018-01-17T21:17:45", "url": "https://files.pythonhosted.org/packages/be/23/1d3f3636093ab59fc1e224236f52ca6c82cc85461909d3ea2557b3732069/crypto_drive_manager-2.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "2c9a0067f5cfc44979df66448bb50306", "sha256": "0a8664f8b0bb1ef32a4d19f79fda3b6aff3e24a4face0b2473c2af0b4a7637c2" }, "downloads": -1, "filename": "crypto-drive-manager-2.0.tar.gz", "has_sig": false, "md5_digest": "2c9a0067f5cfc44979df66448bb50306", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 11429, "upload_time": "2018-01-17T21:17:46", "url": "https://files.pythonhosted.org/packages/1c/6a/8fb71f86b57c56a12464bc4d942935f0346eabfd0fa40872b6387e408723/crypto-drive-manager-2.0.tar.gz" } ], "3.0": [ { "comment_text": "", "digests": { "md5": "78623860f914bd1e0c40c202495940d3", "sha256": "69ae68f2cddfcb66151c033b4e8e9c6d8a5c804c3b607c957ca320aaac524bde" }, "downloads": -1, "filename": "crypto_drive_manager-3.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "78623860f914bd1e0c40c202495940d3", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 18425, "upload_time": "2018-01-17T23:20:53", "url": "https://files.pythonhosted.org/packages/77/e6/33e999bfd08eb3da7108b8b018d1985a996f9460f403a3fdd025ca1754b8/crypto_drive_manager-3.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "42ca7d10256f5abb8d8881c80e89bbe2", "sha256": "e182ac351ac863f077dffa7b2ea8a29005b16d32784b2cd1905f40a790b74926" }, "downloads": -1, "filename": "crypto-drive-manager-3.0.tar.gz", "has_sig": false, "md5_digest": "42ca7d10256f5abb8d8881c80e89bbe2", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 13621, "upload_time": "2018-01-17T23:20:55", "url": "https://files.pythonhosted.org/packages/c6/c0/f3dba9dc1434efb60e92a6117c2100903dde9d4f0fb44c5a8f95daaf37a3/crypto-drive-manager-3.0.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "78623860f914bd1e0c40c202495940d3", "sha256": "69ae68f2cddfcb66151c033b4e8e9c6d8a5c804c3b607c957ca320aaac524bde" }, "downloads": -1, "filename": "crypto_drive_manager-3.0-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "78623860f914bd1e0c40c202495940d3", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 18425, "upload_time": "2018-01-17T23:20:53", "url": "https://files.pythonhosted.org/packages/77/e6/33e999bfd08eb3da7108b8b018d1985a996f9460f403a3fdd025ca1754b8/crypto_drive_manager-3.0-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "42ca7d10256f5abb8d8881c80e89bbe2", "sha256": "e182ac351ac863f077dffa7b2ea8a29005b16d32784b2cd1905f40a790b74926" }, "downloads": -1, "filename": "crypto-drive-manager-3.0.tar.gz", "has_sig": false, "md5_digest": "42ca7d10256f5abb8d8881c80e89bbe2", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 13621, "upload_time": "2018-01-17T23:20:55", "url": "https://files.pythonhosted.org/packages/c6/c0/f3dba9dc1434efb60e92a6117c2100903dde9d4f0fb44c5a8f95daaf37a3/crypto-drive-manager-3.0.tar.gz" } ] }