2381
Comment:
|
2438
|
Deletions are marked like this. | Additions are marked like this. |
Line 36: | Line 36: |
Next we need to initrd image to be able to use that information. Create the following script and make it executeable. `/root/install/luks/keyscript.sh` | Next we need to initrd image to be able to use that information. Create the following script and make it executeable. `/root/install/luks/keyscript.sh`. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set `SOURCE`and `TARGET` to fit your system. |
Line 63: | Line 63: |
This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. |
KVM Host Booting from Luks Encryption
While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing you security.
Add a New Luks Key
Find yourself a good passphrase.
$ echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32
Add the New Key.
# cryptsetup luksAddKey /dev/md1 keyfile_md1 Enter any existing passphrase:
Put the Key on an USB Storage Device
Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data.
# dd if=/dev/urandom of=/dev/sde
Put the key on it.
# dd if=keyfile_md1 of=/dev/sde
Using the Key
Next we need to initrd image to be able to use that information. Create the following script and make it executeable. /root/install/luks/keyscript.sh. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set SOURCEand TARGET to fit your system.
1 #!/bin/sh
2
3 SOURCE="/dev/md1"
4 TARGET="md1_crypt"
5
6 while [ ! -e /dev/mapper/${TARGET} ]
7 do
8 while read a b c DEVICE
9 do
10 if [ ! -e /dev/mapper/${TARGET} ]
11 then
12 if [ -e /dev/${DEVICE} ]
13 then
14 #echo -n "$DEVICE "
15 dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1
16 cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1
17 fi
18 fi
19 done</proc/partitions
20 done
21 cryptsetup luksClose /dev/mapper/${TARGET}
22 cat proposedkey
Add the use of the script to /etc/crypttab.
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks
Becomes
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks,keyscript=/root/install/luks/keyscript.sh
Update initrd image and Grub
# update-initramfs -u # update-grub
Reboot and test.