Tales From /proc

I'm a UNIX Sysadmin, specializing in Solaris and Linux. We should ALL know this stuff, but sometimes a trick or tip slips by, so every time I teach someone a neat trick (or someone teaches me a neat trick) it'll get shared here.

Tuesday, May 4, 2010

Ubuntu - Encrypted LVM's and Keyfile on a USB stick

I stole howtwos from two places for this.
This post is more to remind me how I did it, so I can do it again.
Source documents:
http://www.debuntu.org/how-to-encrypted-partitions-over-lvm-with-luks
http://ubuntuforums.org/showthread.php?t=555513
http://www.debianhelp.org/node/6797

The steps I took.

First, i installed the system as normal. I always install an Ubuntu system with LVM's from the alternatives CD, so I have flexibility to change partitions easily if needed.

so, I am only encrypting the home LVM. Not too worried about the rest.

1) move the contents of /home to /oldhome.
2) 
apt-get install cryptsetup lvm2

lvm2 should already be installed, but i'm paranoid)
3) modprobe dm-crypt
4) My LVM's were already set. I'll be blowing away /home, so:
badblocks -c 10240 -s -w -t random -v /dev/PVNAME/homelvm


Now, let's set up the encrypted device:

5) 

# cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/PVNAME/homelvm


6) 

root@ubuntu:~# cryptsetup luksOpen /dev/PVNAME/homelvm encryptedhome
Enter LUKS passphrase: [your passphrase]
key slot 0 unlocked.
Command successful.


7) format the partition with whichever fs you want:
mkfs.ext4 /dev/mapper/encryptedhome


8) Modify your /etc/crypttab:
encryptedhome /dev/SHAZBAT/home none luks,retry=1

YOU ARE NOT DONE YET:

You'll need to add modules to /etc/initramfs-tools/modules
9) 

aes-i586
dm-crypt
dm-mod
sha256
# these for the automated keyfile coming up.  if you arent using it, skip:
nls_cp437
nls_iso8859_1
vfat


10) edit fstab, modifying your mount for home like mine:


/dev/mapper/encryptedhome /home         ext4    errors=remount-ro 0     1


11) update initramfs!!

update-initramfs -k all -c


You now have an encrypted home lvm. Move your stuff back, and test it by rebooting. You should get a prompt at boot to type your passphrase.

but passphrases are icky.
Let's now set the machine up so you can boot unattended if a keyfile is present on a USB key:

12) find a USB key. I use a general one formatted with vfat. Create a keyfile:


sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4


13) Create a keyscript. mine is slightly modified from the instructions avove, mounting by uuid and not device.

#!/bin/sh
modprobe usb-storage #load usb mass storage driver
sleep 5 #wait for recognized devices to settle
mkdir /keydev 1>&2
mount -t vfat -o ro,umask=077 UUID=deadbabe /keydev 1>&2
cat /keydev/key
umount /keydev 1>&2


(if you need to find your uuid, use the "blkid" command)

14) add your keyfile to the encrypted lvm:
cryptsetup luksAddKey /dev/PVNAME/homelvm /your/keyfile


15) change your /etc/crypttab to this:


encryptedhome   /dev/SHAZBAT/home       none    luks,keyscript=/sbin/keyscript
encryptedhome   /dev/SHAZBAT/home       none    luks,retry=1

This way, if you forget your keyfile, you can still use your passphrase.

16) reboot!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About Me

My photo
I am currently a Unix Systems Engineer for a cloud-based EMR company. I've been making large, complex systems "go" since 1995. I've worked with Novell and Exchange in the past, and now specialize in Solaris and Linux.