Differences between revisions 15 and 16

KVM Host Booting from Luks Encryption

While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing your security.

While playing around with this, be aware that it might render your system unbootable. You should have the skills to use a GNU/Linux recovery media to undo the changes you have made before proceeding!

Add a New Luks Key

Find yourself a good passphrase.

echo -n "uptime" | md5sum | dd of=/root/install/luks/keyfile_md1 bs=1 count=32

Add the New Key.

cryptsetup luksAddKey /dev/md1 /root/install/luks/keyfile_md1 
Enter any existing passphrase:

Put the Key on an USB Storage Device

Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data.

dd if=/dev/urandom of=/dev/sde

Put the key on it.

dd if=keyfile_md1 of=/dev/sde

Using the Key

Next we need the initrd image to be able to use that information. Create the following script and make it executeable. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set SOURCE and TARGET to fit your system.

/root/install/luks/keyscript.sh

   1 #!/bin/sh
   2 
   3 SOURCE="/dev/md1"
   4 TARGET="md1_crypt"
   5 
   6 while [ ! -e /dev/mapper/${TARGET} ]
   7 do
   8         while read a b c DEVICE
   9         do
  10                 if [ ! -e /dev/mapper/${TARGET} ]
  11                 then
  12                         if [ -e /dev/${DEVICE} ]
  13                         then
  14                                 #echo -n "$DEVICE "
  15                                 dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1
  16                                 cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1
  17                         fi
  18                 fi
  19         done</proc/partitions
  20 done
  21 cryptsetup luksClose /dev/mapper/${TARGET}
  22 cat proposedkey

Add the use of the script to /etc/crypttab.

md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks

Becomes

md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks,keyscript=/root/install/luks/keyscript.sh

Update initrd image and Grub

update-initramfs -u
update-grub

Congratulations, you have now hosed you security! Reboot and test.

None: KVM Host Booting from Luks Encryption (last edited 2021-02-18 20:05:40 by Kristian Kallenberg)

-  ⇤ ← Revision 15 as of 2017-10-11 18:25:06 → 
  Size: 2732
  Editor: shran
  Comment:
+   ← Revision 16 as of 2017-11-11 20:07:28 → ⇥
  Size: 2720
  Editor: shran
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 12:
-$ echo -n "uptime" | md5sum | dd of=/root/install/luks/keyfile_md1 bs=1 count=32
+echo -n "uptime" | md5sum | dd of=/root/install/luks/keyfile_md1 bs=1 count=32
 Line 18:
-# cryptsetup luksAddKey /dev/md1 /root/install/luks/keyfile_md1
+cryptsetup luksAddKey /dev/md1 /root/install/luks/keyfile_md1
 Line 27:
-# dd if=/dev/urandom of=/dev/sde
+dd if=/dev/urandom of=/dev/sde
 Line 33:
-# dd if=keyfile_md1 of=/dev/sde
+dd if=keyfile_md1 of=/dev/sde
 Line 81:
-# update-initramfs -u
# update-grub
+update-initramfs -u
update-grub