Differences between revisions 4 and 5
Revision 4 as of 2017-10-11 00:06:01
Size: 2381
Editor: shran
Comment:
Revision 5 as of 2017-10-11 00:07:43
Size: 2438
Editor: shran
Comment:
Deletions are marked like this. Additions are marked like this.
Line 36: Line 36:
Next we need to initrd image to be able to use that information. Create the following script and make it executeable. `/root/install/luks/keyscript.sh` Next we need to initrd image to be able to use that information. Create the following script and make it executeable. `/root/install/luks/keyscript.sh`. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set `SOURCE`and `TARGET` to fit your system.
Line 63: Line 63:
This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key.

KVM Host Booting from Luks Encryption

While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing you security.

Add a New Luks Key

Find yourself a good passphrase. 

$ echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32

Add the New Key. 

# cryptsetup luksAddKey /dev/md1 keyfile_md1 
Enter any existing passphrase:

Put the Key on an USB Storage Device

Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data. 

# dd if=/dev/urandom of=/dev/sde

Put the key on it. 

# dd if=keyfile_md1 of=/dev/sde

Using the Key

Next we need to initrd image to be able to use that information. Create the following script and make it executeable. /root/install/luks/keyscript.sh. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set SOURCEand TARGET to fit your system. 

   1 #!/bin/sh
   2 
   3 SOURCE="/dev/md1"
   4 TARGET="md1_crypt"
   5 
   6 while [ ! -e /dev/mapper/${TARGET} ]
   7 do
   8         while read a b c DEVICE
   9         do
  10                 if [ ! -e /dev/mapper/${TARGET} ]
  11                 then
  12                         if [ -e /dev/${DEVICE} ]
  13                         then
  14                                 #echo -n "$DEVICE "
  15                                 dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1
  16                                 cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1
  17                         fi
  18                 fi
  19         done</proc/partitions
  20 done
  21 cryptsetup luksClose /dev/mapper/${TARGET}
  22 cat proposedkey

Add the use of the script to /etc/crypttab. 

md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks

Becomes 

md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks,keyscript=/root/install/luks/keyscript.sh

Update initrd image and Grub 

# update-initramfs -u
# update-grub

Reboot and test.

None: KVM Host Booting from Luks Encryption (last edited 2021-02-18 20:05:40 by Kristian Kallenberg)