RSAFirstSectorsMiniHOWTO

!! Introduction

This mini howto describes how to set up disc encryption using dm-crypt and openssl. The encryption key for the disc will be kept in the first sectors of the encrypted device. The symmetric key itsself will be enrypted using an RSA public key.

The idea behind this is quite similar to the crypt.pl approach but with some extensions this could be used to use a smart card to encrypt the disc (or acctually store the RSA private key for the symmetric encryption key stored on the disc)

To to this you need:

• OpenSSL
• dm-crypt (of course)
• opensc (for smart card integration)

Create you own CA

Create CA:
/usr/share/ssl/misc/CA -newca

(TODO: Be more verbose here...)

Create your new RSA Key

Create signing request
/usr/share/ssl/misc/CA -newreq

Sign it
/usr/share/ssl/misc/CA -sign

The signed cert will be used for the smart card...

(TODO: Be more verbose here...)

Rename the key to meaningfull name:
mv newreq.pem myrsakey.pem

Prepare your disk for encryption

Before you use any encryption, you should raise the entropy level. In our case you fill the disk with random data.

If you will use /dev/sda2, do
dd if=/dev/urandom of=/dev/sda2
this will take a while

Create key for disc encryption

First extract the public key from your .pem
openssl rsa -pubout -in myrsakey.pem -out myrsakey.pub

So let's create the actual key for dm-crypt:
dd if=/dev/random bs=1 count=96 | openssl rsautl -encrypt -pubin -inkey myrsakey.pub -pkcs -out hdkey.enc

The -pkcs option will do the padding for us... so we end up with a 256 Byte key file.

Now the tricky part. Assuming we want to encrypt /dev/hda6. We save the key directly to the first sectors of the disk (Like in crypt.pl ):
dd if=hdkey.enc of=/dev/hda6
rm hdkey.enc # We don't need this anymore

Set up dm-crypt

Now we set up dm-crypt. I assume you have a dm-crypt capable kernel running and all modules loaded. So here we go:

dd if=/dev/hda6 bs=256 count=1 | # read encrypted key from raw disk
openssl rsautl -decypt -inkey myrsakey.pem | # decrypt it using ssl and your RSA private key
cryptosetup --hash=plain -o 2 create cryptpart /dev/hda6 # pass key to cryptosetup

The -o 2 Option tells cryptsetup to start the real device with an offset of 2 sectors (= 1024 bytes) this is the important part! If we had no offset we would have overwritten our disc encryption key!

Now it's time to format the new device with a filesystem of your choice:
mkfs.ext3 /dev/mapper/cryptpart

Mount it:
mkdir /crypt
mount /dev/mapper/cryptpart /crypt

To unmount und reset the cryptodevice use:
umount /crypt
cryptosetup remove cryptpart

Have fun!

Using smart card to store RSA key

With the solution shown above you have to remember the passphrase of your RSA keyfile and store it in a save place. It's possible to store the key file on a smart card. So even I've your card gets lost or stolen, you have to know the PIN to use the key.

To store the key on the SC, we have to decrypt it:
openssl rsa -in myrsakey.pem -out plainrsakey.pem

root# pkcs15-init -E
root# pkcs15-init --create-pkcs15 --profile pkcs15
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
root# pkcs15-init --auth-id 1 --store-pin --pin "123456" --puk "789012" --label "PIN"
Security officer PIN required.
Please enter Security officer PIN:
root# pkcs15-init --auth-id 1 --key-usage sign,decrypt --store-private-key plainrsakey.pem
Security officer PIN required.
Please enter Security officer PIN:
User PIN required.
Please enter User PIN:
Security officer PIN required.
Please enter Security officer PIN:
root# pkcs15-init --auth-id 1 --store-certificate newcert.pem
Security officer PIN required.
Please enter Security officer PIN:
root# pkcs15-init --finalize

It is better to use on-board kenerated keys, like this:

pkcs15-init --generate-key rsa/1024 --key-usage decrypt --auth-id 1

pkcs15-init with this command line will generate the key on-board, if knows how (depending on card type )

How to actually use the key to decrypt the key stored on disc:

This part is tested on an ubuntu dapper, your paths and package names may vary.
You have to have libengine-pkcs11-openssl and libopensc2 installed.

First you have to configure openssl to use opensc.
vi /usr/lib/ssl/openssl.cnf

Add the following line to the beginning of the file:

openssl_conf = openssl_def

And the following ones to the end (look at the pagesource for the correct syntax)):

openssl_def
engines = engine_section
engine_section
pkcs11 = pkcs11_section
pkcs11_section
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
init = 0

Now you should add "-engine pkcs11" to every openssl command line, and refer to your key as id_<keyid> the key id is in a lot of cases 45 (the first key generated). You can easily figure out the actual id:

pkcs15-tool -k
(other keys)
Private RSA Key Private Key
Com. Flags : 3
Usage : 0x22, decrypt, unwrap
Access Flags: 0x1D, sensitive, alwaysSensitive, neverExtract, local
ModLength? : 1024
Key ref : 18
Native : yes
Path : 3f005015
Auth ID : 01
ID : 47

Now extract its public key to mykey.pub:
pkcs15-tool --read-public-key 47 |tee mykey.pub

create the hd key:
dd if=/dev/random bs=1 count=96 | openssl rsautl -encrypt -pubin -inkey mykey.pub -pkcs -out hdkey.enc

store the hard disk key (I use /dev/sda2):
dd if=hdkey.enc of=/dev/sda2

And setup the crypto disk:

dd if=/dev/sda2 bs=128 count=1 | openssl rsautl -decrypt -engine pkcs11 -keyform engine -inkey id_47 | cryptsetup --hash=plain -o 2 create cryptpart /dev/sda2

Now you can mkfs, mount, umount, etc. /dev/mapper/cryptpart

To stop the cryptographic partition, use
cryptsetup remove cryptpart

The advantage of on smart card key generation is: The private key has never left and will never leave the smart card and can therefore never be stolen.

• Google
• Hospedagem de Sites
• Mercado Livre
• Hospedagem
• Facebook
• globo.com
• Servidor Dedicado
• AdWords
• twitter
• Cloud
• Amazon
• Host
• orkut

Credits and further information

• The smart card scriptlets and idea was taken from Jari Eskelinen Using Rainbow iKey 3000 under Linux (or any other smart card)
• For more information about openssl and certificate creation have a look at Generating X.509 Certificates
• on-board key generation and chipcard usage is documented by Arpad Magosanyi
• Custom research papers, research paper about helpful tips regarding this topic

This incomplete and perhaps completely useless mini-howto was brought to you by ulkbold %)

logo design Naked Chat Nude Chat Webcam Chat Online Chat Live Chat