KVM Host Booting from Luks Encryption
While encrypting your disks is a good idea, it also presents you with the problem that you have to enter the passphrase when booting the system. Running the KVM Host as a headless system with no keyboard attached really introduces a problem. Entering the passphrase is what the security is about, so circumventing this is really hosing you security.
Add a New Luks Key
Find yourself a good passphrase.
$ echo -n "uptime" | md5sum | dd of=keyfile_md1 bs=1 count=32
Add the New Key.
# cryptsetup luksAddKey /dev/md1 keyfile_md1 Enter any existing passphrase:
Put the Key on an USB Storage Device
Insert your USB storage device, Has to hold 32 bytes, hard to find a device that small. I use a 4GB USB storage device myself. Make the USB storage device look like its just garbage data.
# dd if=/dev/urandom of=/dev/sde
Put the key on it.
# dd if=keyfile_md1 of=/dev/sde
Using the Key
Next we need to initrd image to be able to use that information. Create the following script and make it executeable. /root/install/luks/keyscript.sh
SOURCE="/dev/md1" TARGET="md1_crypt" while [ ! -e /dev/mapper/${TARGET} ] do while read a b c DEVICE do if [ ! -e /dev/mapper/${TARGET} ] then if [ -e /dev/${DEVICE} ] then #echo -n "$DEVICE " dd if=/dev/${DEVICE} of=proposedkey bs=1 count=32 > /dev/null 2>&1 cryptsetup luksOpen ${SOURCE} ${TARGET} --key-file proposedkey > /dev/null 2>&1 fi fi done</proc/partitions done cryptsetup luksClose /dev/mapper/${TARGET} cat proposedkey
This script is not optimized in any way, but it checks all partitions in /proc/partitions until it finds a valid key.
Add the use of the script to /etc/crypttab.
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks
Becomes
md1_crypt UUID=72deeb7f-2289-40c5-99c1-52238afb78ef none luks,keyscript=/root/install/luks/keyscript.sh
Update initrd image and Grub
# update-initramfs -u # update-grub
Reboot and test.