Tue 09 of Feb, 2010 [02:15 UTC]  
Menu
 Home
 Contact us
 Stats
[-] Wiki [+]
 Wiki Home
 Last Changes
 Dump
 Rankings
 List pages
 Orphan pages
 Sandbox
 Print
[-] Articles [+]
 Articles home
 List articles
 Rankings
 Submit article
 View submissions
[-] File Galleries [+]
 List galleries
 Rankings
[-] FAQs [+]
 List FAQs

EncryptedVarWithUSBKey

How to encrypt /var (or similar path) and keep the key in a USB flash stick
 edit print PDF
EspaƱol
Introduction

I wanted to encrypt the /var of our servers and have a USB flash stick as the 'key'. This process requires two steps, first create the partitions and install the operating system and second do the proper modifications that will enable the partition to be mounted on boot.

I first created a root partition "/" in /dev/hda1, a var partition "/var" in /dev/hda2 and a swap partition in /dev/hda3.

I then installed Fedora Core 6 on the system, i performed all the disk partitioning via the Fedora's anaconda installer, but that shouldn't be any different from any other linux distribution. After the installation is complete, you may boot the system and start creating the encrypted partition.

Steps to encrypt /var

Now, here comes the weird part. Since /var is an important path and linux requires it to boot and run (its not like we are encrypting the /home partition, since there we can just login as root and the entire /home won't be marked as 'in use').

In other words, we have to: 1) copy the entire /var structure in a temporary directory, unmount /var, encrypt the /var partition, re-create an ext3 filesystem in it, mount it, and move back the structure from our temp dir into our newly encrypted partition.

Here are the steps (comments are in parenthesis):


  1. init 1 (switch to single user mode)
  2. prepare your system: disable SELinux and use the "service" command to stop running services
  3. prepare your kernel: run "modprobe aes" and "modprobe dm-crypt"
  4. mkdir /tmp/tempvar (make temp dir)
  5. cd /var
  6. mv * /tmp/tempvar (move file structure to temp dir, ignore any errors!)
  7. cd ..
  8. umount -f -l /var (force unmount of a live file system)
  9. badblocks -f -c 10240 -s -w -t random -v /dev/hda2 (optional, write random data on the partition)
  10. mount /dev/sdc1 /media/flash (mount your USB flash disk)
  11. dd if=/dev/random of=/media/flash/var.key bs=1 count=256 (generate key on USB flash stick)
  12. cryptsetup --verbose -c aes-cbc-essiv:sha256 luksFormat /dev/hda2 /media/flash/var.key (encrypt partition and use our USB flash key)
  13. cryptsetup --key-file /media/flash/var.key luksOpen /dev/hda2 var (create a mapping)
  14. mkfs.ext3 -j -m 1 -O dir_index,sparse_super /dev/mapper/var (generate ext3 filesystem)

Before we mount the partition we need to use the mapper device we created with the 'luksOpen' command above. Thus, edit your /etc/fstab and change the "/dev/hda2" entry to "/dev/mapper/var" and dont let it be checked on boot for errors, for example:

/dev/hda2 /var ext3 defaults 1 2


change to:

/dev/mapper/var /var ext3 defaults 0 0


Now we may continue:


  1. mount /var (mount the partition)
  2. cd /tmp/tempvar
  3. mv * /var

End of part 1.


Setup crypted boot and USB stick

In part 2 we need to modify our system to be able to boot properly, mount the encrypted /var partition by loading the key file from a USB stick.

First, create the /etc/crypttab file with a line like this:

var /dev/hda2 /media/flash/var.key


Then edit your /etc/rc.sysinit, find the line that says "Starting disk encryption:" and just before the call to init_crypto add the following lines:

modprobe usb_storage (required because udev hasn't created USB storage /dev entries)
sleep 5 (usb storage takes 2-3 seconds to discover and create the /dev entries, thus we delay a bit)
mount -n -t vfat -o ro,umask=377 /dev/sdc1 /media/flash (ofcourse you need to use your own /dev entry here)


Thats it, you may now reboot and the system will be fully working (as long as your USB flash stick is plugged in).

End of part 2.


FAQ & Problem solving

Each step in the above process has some pitfalls. The first problem is usualy encountered when altering a usable partition or directory. For example in our case the /var partition. There won't be any issues if the process is done as single user mode (no services accessing /var, etc).

If you are installing on a new system you don't need to modify a live /var partition. Just install the entire operating system on / (root) and after the installation is complete you may create the partition which will hold /var and run cryptsetup on it without any worries. Ofcourse you still need to switch to single user mode to remove the original /var and replace it with our encrypted /dev/mapper/var.

In case you get a "Command failed" error when running cryptsetup, you probably didn't type the "YES" answer in all capitals.

If you get error messages about key failure, then you probably haven't got the right modules loaded. Execute "modprobe dm-crypt" and "modprobe aes", you may ofcourse load other crypto modules like "modprobe twofish".

Using /dev/scd1 or whatever to access your USB flash key is not a very portable solution. Instead, you may use the USB ID of the device to mount it, which is always going to be accessible no matter which USB port/hub you use.
PHP Project
Be careful when updating RPM packages. The /etc/rc.sysinit file will be replaced when you update the "initscripts" package and you won't be able to boot your system.

Helpful resources:
Custom term papers


-- Dimitrios Michelinakis (dimitris@michelinakis.gr)



Created by: sehh last modification: Saturday 30 of January, 2010 [15:12:29 UTC] by benw

edit
rename
history
similar
slides
attach file
translation