|
Size: 2297
Comment:
|
← Revision 20 as of 2021-02-18 20:05:40 ⇥
Size: 2758
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing you security. | While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing your security. While playing around with this, be aware that it might render your system unbootable. You should have the skills to use a GNU/Linux recovery media to undo the changes you have made before proceeding! |
| Line 10: | Line 12: |
| $ echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32 | echo -n "uptime" | md5sum | dd of=/root/install/luks/keyfile_md1 bs=1 count=32 |
| Line 16: | Line 18: |
| # cryptsetup luksAddKey /dev/md1 keyfile_md1 | cryptsetup luksAddKey /dev/md1 /root/install/luks/keyfile_md1 |
| Line 20: | Line 22: |
| == Put the Key on A USB Storage Device == | == Put the Key on an USB Storage Device == |
| Line 22: | Line 24: |
| Insert your usb storage device, has to hold 32 bytes, hard to find a device that small I use a 4GB usb storage device myself. Make the usb storage device look like its just garbage data. | Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data. |
| Line 25: | Line 27: |
| # dd if=/dev/urandom of=/dev/sde | dd if=/dev/urandom of=/dev/sde |
| Line 31: | Line 33: |
| # dd if=keyfile_md1 of=/dev/sde | dd if=/root/install/luks/keyfile_md1 of=/dev/sde |
| Line 34: | Line 36: |
| == Using the Key == | |
| Line 35: | Line 38: |
| == Getting the Initramfs == ok now we have the key on our usb-storage device. Next we need to initrd image to be able to use that information. |
Next we need the initrd image to be able to use that information. Create the following script and make it executeable. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set `SOURCE` and `TARGET` to fit your system. |
| Line 38: | Line 40: |
| {{{ | `/root/install/luks/keyscript.sh` {{{#!highlight bash |
| Line 63: | Line 66: |
| this script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Save the script as root/install/luks/keyscript.sh | Add the use of the script to `/etc/crypttab`. |
| Line 65: | Line 68: |
| now edit /etc/crypttab |
{{{ md1_crypt UUID=b26a33dc-2c96-42fe-b082-fa60b46bb6d5 none luks,discard }}} |
| Line 68: | Line 72: |
| md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks | Becomes |
| Line 70: | Line 74: |
| becomes md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks,keyscript=/root/install/luks/keyscript.sh |
{{{ md1_crypt UUID=b26a33dc-2c96-42fe-b082-fa60b46bb6d5 none luks,discard,keyscript=/root/install/luks/keyscript.sh }}} |
| Line 73: | Line 78: |
| Update initrd image and Grub {{{ |
|
| Line 75: | Line 83: |
| }}} | |
| Line 76: | Line 85: |
| reboot and test | Congratulations, you have now hosed your security! Reboot and test. |
KVM Host Booting from Luks Encryption
While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing your security.
While playing around with this, be aware that it might render your system unbootable. You should have the skills to use a GNU/Linux recovery media to undo the changes you have made before proceeding!
Add a New Luks Key
Find yourself a good passphrase.
echo -n "uptime" | md5sum | dd of=/root/install/luks/keyfile_md1 bs=1 count=32
Add the New Key.
cryptsetup luksAddKey /dev/md1 /root/install/luks/keyfile_md1 Enter any existing passphrase:
Put the Key on an USB Storage Device
Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data.
dd if=/dev/urandom of=/dev/sde
Put the key on it.
dd if=/root/install/luks/keyfile_md1 of=/dev/sde
Using the Key
Next we need the initrd image to be able to use that information. Create the following script and make it executeable. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set SOURCE and TARGET to fit your system.
/root/install/luks/keyscript.sh
1 #!/bin/sh
2
3 SOURCE="/dev/md1"
4 TARGET="md1_crypt"
5
6 while [ ! -e /dev/mapper/${TARGET} ]
7 do
8 while read a b c DEVICE
9 do
10 if [ ! -e /dev/mapper/${TARGET} ]
11 then
12 if [ -e /dev/${DEVICE} ]
13 then
14 #echo -n "$DEVICE "
15 dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1
16 cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1
17 fi
18 fi
19 done</proc/partitions
20 done
21 cryptsetup luksClose /dev/mapper/${TARGET}
22 cat proposedkey
Add the use of the script to /etc/crypttab.
md1_crypt UUID=b26a33dc-2c96-42fe-b082-fa60b46bb6d5 none luks,discard
Becomes
md1_crypt UUID=b26a33dc-2c96-42fe-b082-fa60b46bb6d5 none luks,discard,keyscript=/root/install/luks/keyscript.sh
Update initrd image and Grub
update-initramfs -u update-grub
Congratulations, you have now hosed your security! Reboot and test.