2022
Comment:
|
2438
|
Deletions are marked like this. | Additions are marked like this. |
Line 3: | Line 3: |
While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Entering the passphrase is really what the security is about, so circumventing this is really hosing you security. | While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing you security. |
Line 5: | Line 5: |
find yourself a good passphrase echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32 |
== Add a New Luks Key == |
Line 8: | Line 7: |
cryptsetup luksAddKey /dev/md1 keyfile_md1 | Find yourself a good passphrase. {{{ $ echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32 }}} Add the New Key. {{{ # cryptsetup luksAddKey /dev/md1 keyfile_md1 |
Line 10: | Line 18: |
}}} | |
Line 11: | Line 20: |
insert your usb storage device, has to hold 32 bytes, hard to find a device that small i use a 4GB usb storage device myself | == Put the Key on an USB Storage Device == |
Line 13: | Line 22: |
make the usb storage device look like its just garbage data | Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data. |
Line 15: | Line 24: |
dd if=/dev/urandom of=/dev/sde | {{{ # dd if=/dev/urandom of=/dev/sde }}} |
Line 17: | Line 28: |
put the key on it | Put the key on it. |
Line 19: | Line 30: |
dd if=keyfile_md1 of=/dev/sde | {{{ # dd if=keyfile_md1 of=/dev/sde }}} |
Line 21: | Line 34: |
ok now we have the key on our usb-storage device. Next we need to initrd image to be able to use that information. | == Using the Key == |
Line 23: | Line 36: |
Next we need to initrd image to be able to use that information. Create the following script and make it executeable. `/root/install/luks/keyscript.sh`. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set `SOURCE`and `TARGET` to fit your system. {{{#!highlight bash |
|
Line 45: | Line 61: |
}}} | |
Line 46: | Line 63: |
this script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Save the script as root/install/luks/keyscript.sh | Add the use of the script to /etc/crypttab. |
Line 48: | Line 65: |
now edit /etc/crypttab |
{{{ md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks }}} |
Line 51: | Line 69: |
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks | Becomes |
Line 53: | Line 71: |
becomes | {{{ |
Line 55: | Line 73: |
}}} | |
Line 56: | Line 75: |
update-initramfs -u update-grub |
Update initrd image and Grub |
Line 59: | Line 77: |
reboot and test | {{{ # update-initramfs -u # update-grub }}} Reboot and test. |
KVM Host Booting from Luks Encryption
While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing you security.
Add a New Luks Key
Find yourself a good passphrase.
$ echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32
Add the New Key.
# cryptsetup luksAddKey /dev/md1 keyfile_md1 Enter any existing passphrase:
Put the Key on an USB Storage Device
Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data.
# dd if=/dev/urandom of=/dev/sde
Put the key on it.
# dd if=keyfile_md1 of=/dev/sde
Using the Key
Next we need to initrd image to be able to use that information. Create the following script and make it executeable. /root/install/luks/keyscript.sh. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set SOURCEand TARGET to fit your system.
1 #!/bin/sh
2
3 SOURCE="/dev/md1"
4 TARGET="md1_crypt"
5
6 while [ ! -e /dev/mapper/${TARGET} ]
7 do
8 while read a b c DEVICE
9 do
10 if [ ! -e /dev/mapper/${TARGET} ]
11 then
12 if [ -e /dev/${DEVICE} ]
13 then
14 #echo -n "$DEVICE "
15 dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1
16 cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1
17 fi
18 fi
19 done</proc/partitions
20 done
21 cryptsetup luksClose /dev/mapper/${TARGET}
22 cat proposedkey
Add the use of the script to /etc/crypttab.
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks
Becomes
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks,keyscript=/root/install/luks/keyscript.sh
Update initrd image and Grub
# update-initramfs -u # update-grub
Reboot and test.