Differences between revisions 12 and 19 (spanning 7 versions)

KVM Host Booting from Luks Encryption

While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing your security.

While playing around with this, be aware that it might render your system unbootable. You should have the skills to use a GNU/Linux recovery media to undo the changes you have made before proceeding!

Add a New Luks Key

Find yourself a good passphrase.

echo -n "uptime" | md5sum | dd of=/root/install/luks/keyfile_md1 bs=1 count=32

Add the New Key.

cryptsetup luksAddKey /dev/md1 /root/install/luks/keyfile_md1 
Enter any existing passphrase:

Put the Key on an USB Storage Device

Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data.

dd if=/dev/urandom of=/dev/sde

Put the key on it.

dd if=keyfile_md1 of=/dev/sde

Using the Key

Next we need the initrd image to be able to use that information. Create the following script and make it executeable. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set SOURCE and TARGET to fit your system.

/root/install/luks/keyscript.sh

   1 #!/bin/sh
   2 
   3 SOURCE="/dev/md1"
   4 TARGET="md1_crypt"
   5 
   6 while [ ! -e /dev/mapper/${TARGET} ]
   7 do
   8         while read a b c DEVICE
   9         do
  10                 if [ ! -e /dev/mapper/${TARGET} ]
  11                 then
  12                         if [ -e /dev/${DEVICE} ]
  13                         then
  14                                 #echo -n "$DEVICE "
  15                                 dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1
  16                                 cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1
  17                         fi
  18                 fi
  19         done</proc/partitions
  20 done
  21 cryptsetup luksClose /dev/mapper/${TARGET}
  22 cat proposedkey

Add the use of the script to /etc/crypttab.

md1_crypt UUID=b26a33dc-2c96-42fe-b082-fa60b46bb6d5 none luks,discard

Becomes

md1_crypt UUID=b26a33dc-2c96-42fe-b082-fa60b46bb6d5 none luks,discard,keyscript=/root/install/luks/keyscript.sh

Update initrd image and Grub

update-initramfs -u
update-grub

Congratulations, you have now hosed your security! Reboot and test.

None: KVM Host Booting from Luks Encryption (last edited 2021-02-18 20:05:40 by Kristian Kallenberg)

-  ⇤ ← Revision 12 as of 2017-10-11 00:13:17 → 
  Size: 2693
  Editor: shran
  Comment:
+   ← Revision 19 as of 2021-01-17 13:54:40 → ⇥
  Size: 2739
  Editor: Kristian Kallenberg
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 3:
-While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing you security.
+While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing your security.
 Line 5:
-While playing around with this, be aware that it might render your system unbootable. You should have the skills to use a GNU/Linux recovery media to undo the changes you have make before proceeding!
+While playing around with this, be aware that it might render your system unbootable. You should have the skills to use a GNU/Linux recovery media to undo the changes you have made before proceeding!
 Line 12:
-$ echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32
+echo -n "uptime" | md5sum | dd of=/root/install/luks/keyfile_md1 bs=1 count=32
 Line 18:
-# cryptsetup luksAddKey /dev/md1 keyfile_md1
+cryptsetup luksAddKey /dev/md1 /root/install/luks/keyfile_md1
 Line 27:
-# dd if=/dev/urandom of=/dev/sde
+dd if=/dev/urandom of=/dev/sde
 Line 33:
-# dd if=keyfile_md1 of=/dev/sde
+dd if=keyfile_md1 of=/dev/sde
 Line 66:
-Add the use of the script to /etc/crypttab.
+Add the use of the script to `/etc/crypttab`.
 Line 69:
-md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks
+md1_crypt UUID=b26a33dc-2c96-42fe-b082-fa60b46bb6d5 none luks,discard
 Line 75:
-md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks,keyscript=/root/install/luks/keyscript.sh
+md1_crypt UUID=b26a33dc-2c96-42fe-b082-fa60b46bb6d5 none luks,discard,keyscript=/root/install/luks/keyscript.sh
 Line 81:
-# update-initramfs -u
# update-grub
+update-initramfs -u
update-grub
 Line 85:
-Congratulations, you have now hosed you security! Reboot and test.
+Congratulations, you have now hosed your security! Reboot and test.