KVM Host Booting from Luks Encryption
While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing you security.
Add a New Luks Key
Find yourself a good passphrase.
$ echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32
Add the New Key.
# cryptsetup luksAddKey /dev/md1 keyfile_md1 Enter any existing passphrase:
Put the Key on A USB Storage Device
Insert your usb storage device, has to hold 32 bytes, hard to find a device that small I use a 4GB usb storage device myself. Make the usb storage device look like its just garbage data.
# dd if=/dev/urandom of=/dev/sde
Put the key on it.
# dd if=keyfile_md1 of=/dev/sde
Getting the Initramfs
ok now we have the key on our usb-storage device. Next we need to initrd image to be able to use that information.
SOURCE="/dev/md1" TARGET="md1_crypt" while [ ! -e /dev/mapper/${TARGET} ] do while read a b c DEVICE do if [ ! -e /dev/mapper/${TARGET} ] then if [ -e /dev/${DEVICE} ] then #echo -n "$DEVICE " dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1 cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1 fi fi done</proc/partitions done cryptsetup luksClose /dev/mapper/${TARGET} cat proposedkey
this script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key. Save the script as root/install/luks/keyscript.sh
now edit /etc/crypttab
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks
becomes md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks,keyscript=/root/install/luks/keyscript.sh
update-initramfs -u update-grub
reboot and test