Differences between revisions 6 and 18 (spanning 12 versions)

KVM Host Booting from Luks Encryption

While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing your security.

While playing around with this, be aware that it might render your system unbootable. You should have the skills to use a GNU/Linux recovery media to undo the changes you have made before proceeding!

Add a New Luks Key

Find yourself a good passphrase.

echo -n "uptime" | md5sum | dd of=/root/install/luks/keyfile_md1 bs=1 count=32

Add the New Key.

cryptsetup luksAddKey /dev/md1 /root/install/luks/keyfile_md1 
Enter any existing passphrase:

Put the Key on an USB Storage Device

Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data.

dd if=/dev/urandom of=/dev/sde

Put the key on it.

dd if=keyfile_md1 of=/dev/sde

Using the Key

Next we need the initrd image to be able to use that information. Create the following script and make it executeable. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set SOURCE and TARGET to fit your system.

/root/install/luks/keyscript.sh

   1 #!/bin/sh
   2 
   3 SOURCE="/dev/md1"
   4 TARGET="md1_crypt"
   5 
   6 while [ ! -e /dev/mapper/${TARGET} ]
   7 do
   8         while read a b c DEVICE
   9         do
  10                 if [ ! -e /dev/mapper/${TARGET} ]
  11                 then
  12                         if [ -e /dev/${DEVICE} ]
  13                         then
  14                                 #echo -n "$DEVICE "
  15                                 dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1
  16                                 cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1
  17                         fi
  18                 fi
  19         done</proc/partitions
  20 done
  21 cryptsetup luksClose /dev/mapper/${TARGET}
  22 cat proposedkey

Add the use of the script to /etc/crypttab.

md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks

Becomes

md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks,keyscript=/root/install/luks/keyscript.sh

Update initrd image and Grub

update-initramfs -u
update-grub

Congratulations, you have now hosed your security! Reboot and test.

None: KVM Host Booting from Luks Encryption (last edited 2021-02-18 20:05:40 by Kristian Kallenberg)

-  ⇤ ← Revision 6 as of 2017-10-11 00:08:40 → 
  Size: 2439
  Editor: shran
  Comment:
+   ← Revision 18 as of 2017-12-01 12:04:35 → ⇥
  Size: 2723
  Editor: Kristian Kallenberg
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 3:
-While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing you security.
+While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing your security.

While playing around with this, be aware that it might render your system unbootable. You should have the skills to use a GNU/Linux recovery media to undo the changes you have made before proceeding!
-Line 10:
+Line 12:
-$ echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32
+echo -n "uptime" | md5sum | dd of=/root/install/luks/keyfile_md1 bs=1 count=32
-Line 16:
+Line 18:
-# cryptsetup luksAddKey /dev/md1 keyfile_md1
+cryptsetup luksAddKey /dev/md1 /root/install/luks/keyfile_md1
-Line 25:
+Line 27:
-# dd if=/dev/urandom of=/dev/sde
+dd if=/dev/urandom of=/dev/sde
-Line 31:
+Line 33:
-# dd if=keyfile_md1 of=/dev/sde
+dd if=keyfile_md1 of=/dev/sde
-Line 36:
+Line 38:
-Next we need the initrd image to be able to use that information. Create the following script and make it executeable. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set `SOURCE`and `TARGET` to fit your system.
+Next we need the initrd image to be able to use that information. Create the following script and make it executeable. This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Make sure you set `SOURCE` and `TARGET` to fit your system.
-Line 64:
+Line 66:
-Add the use of the script to /etc/crypttab.
+Add the use of the script to `/etc/crypttab`.
-Line 79:
+Line 81:
-# update-initramfs -u
# update-grub
+update-initramfs -u
update-grub
-Line 83:
+Line 85:
-Reboot and test.
+Congratulations, you have now hosed your security! Reboot and test.