KVM Host Booting from Luks Encryption
While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Entering the passphrase is really what the security is about, so circumventing this is really hosing you security.
find yourself a good passphrase echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32
cryptsetup luksAddKey /dev/md1 keyfile_md1 Enter any existing passphrase:
insert your usb storage device, has to hold 32 bytes, hard to find a device that small i use a 4GB usb storage device myself
make the usb storage device look like its just garbage data
dd if=/dev/urandom of=/dev/sde
put the key on it
dd if=keyfile_md1 of=/dev/sde
ok now we have the key on our usb-storage device. Next we need to initrd image to be able to use that information.
#!/bin/sh
SOURCE="/dev/md1" TARGET="md1_crypt"
while [ ! -e /dev/mapper/${TARGET} ] do
- while read a b c DEVICE do
- if [ ! -e /dev/mapper/${TARGET} ] then
- if [ -e /dev/${DEVICE} ] then
- #echo -n "$DEVICE "
dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1 cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1
- #echo -n "$DEVICE "
- if [ -e /dev/${DEVICE} ] then
done</proc/partitions
- if [ ! -e /dev/mapper/${TARGET} ] then
done cryptsetup luksClose /dev/mapper/${TARGET} cat proposedkey
this script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Save the script as root/install/luks/keyscript.sh
now edit /etc/crypttab
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks
becomes md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks,keyscript=/root/install/luks/keyscript.sh
update-initramfs -u update-grub
reboot and test