2297
Comment:
|
2438
|
Deletions are marked like this. | Additions are marked like this. |
Line 20: | Line 20: |
== Put the Key on A USB Storage Device == | == Put the Key on an USB Storage Device == |
Line 22: | Line 22: |
Insert your usb storage device, has to hold 32 bytes, hard to find a device that small I use a 4GB usb storage device myself. Make the usb storage device look like its just garbage data. | Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data. |
Line 34: | Line 34: |
== Using the Key == | |
Line 35: | Line 36: |
== Getting the Initramfs == ok now we have the key on our usb-storage device. Next we need to initrd image to be able to use that information. |
Next we need to initrd image to be able to use that information. Create the following script and make it executeable. `/root/install/luks/keyscript.sh`. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set `SOURCE`and `TARGET` to fit your system. |
Line 38: | Line 38: |
{{{ | {{{#!highlight bash |
Line 63: | Line 63: |
this script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Save the script as root/install/luks/keyscript.sh | Add the use of the script to /etc/crypttab. |
Line 65: | Line 65: |
now edit /etc/crypttab |
{{{ md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks }}} |
Line 68: | Line 69: |
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks | Becomes |
Line 70: | Line 71: |
becomes | {{{ |
Line 72: | Line 73: |
}}} | |
Line 73: | Line 75: |
update-initramfs -u update-grub |
Update initrd image and Grub |
Line 76: | Line 77: |
reboot and test | {{{ # update-initramfs -u # update-grub }}} Reboot and test. |
KVM Host Booting from Luks Encryption
While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing you security.
Add a New Luks Key
Find yourself a good passphrase.
$ echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32
Add the New Key.
# cryptsetup luksAddKey /dev/md1 keyfile_md1 Enter any existing passphrase:
Put the Key on an USB Storage Device
Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data.
# dd if=/dev/urandom of=/dev/sde
Put the key on it.
# dd if=keyfile_md1 of=/dev/sde
Using the Key
Next we need to initrd image to be able to use that information. Create the following script and make it executeable. /root/install/luks/keyscript.sh. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set SOURCEand TARGET to fit your system.
1 #!/bin/sh
2
3 SOURCE="/dev/md1"
4 TARGET="md1_crypt"
5
6 while [ ! -e /dev/mapper/${TARGET} ]
7 do
8 while read a b c DEVICE
9 do
10 if [ ! -e /dev/mapper/${TARGET} ]
11 then
12 if [ -e /dev/${DEVICE} ]
13 then
14 #echo -n "$DEVICE "
15 dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1
16 cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1
17 fi
18 fi
19 done</proc/partitions
20 done
21 cryptsetup luksClose /dev/mapper/${TARGET}
22 cat proposedkey
Add the use of the script to /etc/crypttab.
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks
Becomes
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks,keyscript=/root/install/luks/keyscript.sh
Update initrd image and Grub
# update-initramfs -u # update-grub
Reboot and test.