|
Size: 2297
Comment:
|
Size: 2365
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 20: | Line 20: |
| == Put the Key on A USB Storage Device == | == Put the Key on an USB Storage Device == |
| Line 22: | Line 22: |
| Insert your usb storage device, has to hold 32 bytes, hard to find a device that small I use a 4GB usb storage device myself. Make the usb storage device look like its just garbage data. | Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data. |
| Line 34: | Line 34: |
| == Using the Key == | |
| Line 35: | Line 36: |
| == Getting the Initramfs == ok now we have the key on our usb-storage device. Next we need to initrd image to be able to use that information. |
Next we need to initrd image to be able to use that information. Create the following script and make it executeable. `/root/install/luks/keyscript.sh` |
| Line 63: | Line 63: |
| this script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Save the script as root/install/luks/keyscript.sh | This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. |
| Line 65: | Line 65: |
| now edit /etc/crypttab |
Add the use of the script to /etc/crypttab. |
| Line 68: | Line 67: |
| {{{ | |
| Line 69: | Line 69: |
| }}} | |
| Line 70: | Line 71: |
| becomes | Becomes {{{ |
| Line 72: | Line 75: |
| }}} | |
| Line 73: | Line 77: |
| update-initramfs -u update-grub |
Update initrd image and Grub |
| Line 76: | Line 79: |
| reboot and test | {{{ # update-initramfs -u # update-grub }}} Reboot and test. |
KVM Host Booting from Luks Encryption
While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing you security.
Add a New Luks Key
Find yourself a good passphrase.
$ echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32
Add the New Key.
# cryptsetup luksAddKey /dev/md1 keyfile_md1 Enter any existing passphrase:
Put the Key on an USB Storage Device
Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data.
# dd if=/dev/urandom of=/dev/sde
Put the key on it.
# dd if=keyfile_md1 of=/dev/sde
Using the Key
Next we need to initrd image to be able to use that information. Create the following script and make it executeable. /root/install/luks/keyscript.sh
SOURCE="/dev/md1"
TARGET="md1_crypt"
while [ ! -e /dev/mapper/${TARGET} ]
do
while read a b c DEVICE
do
if [ ! -e /dev/mapper/${TARGET} ]
then
if [ -e /dev/${DEVICE} ]
then
#echo -n "$DEVICE "
dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1
cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1
fi
fi
done</proc/partitions
done
cryptsetup luksClose /dev/mapper/${TARGET}
cat proposedkeyThis script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key.
Add the use of the script to /etc/crypttab.
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks
Becomes
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks,keyscript=/root/install/luks/keyscript.sh
Update initrd image and Grub
# update-initramfs -u # update-grub
Reboot and test.