特殊:Badtitle/NS100:FeistyLUKSTwoFormFactor:修订间差异
小 新页面: {{From|https://help.ubuntu.com/community/FeistyLUKSTwoFormFactor}} {{Languages|UbuntuHelp:FeistyLUKSTwoFormFactor}} == Two Form Factor Authentication and LUKS Whole Disk Encryption with... |
小无编辑摘要 |
||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/FeistyLUKSTwoFormFactor}} | {{From|https://help.ubuntu.com/community/FeistyLUKSTwoFormFactor}} | ||
{{Languages|UbuntuHelp:FeistyLUKSTwoFormFactor}} | {{Languages|UbuntuHelp:FeistyLUKSTwoFormFactor}} | ||
== Two Form Factor Authentication and LUKS Whole Disk Encryption with Feisty Fawn 7.04 == | == Two Form Factor Authentication and LUKS Whole Disk Encryption with Feisty Fawn 7.04 == | ||
Skill: ''High'' | Skill: ''High'' | ||
Complexity: ''High'' | Complexity: ''High'' | ||
estTimeToComplete: ''3.5 hours'' (ex. radomizing disks) | estTimeToComplete: ''3.5 hours'' (ex. radomizing disks) | ||
Two Form Factor authentication in general relies on something you ''have'' and something you ''know''. I'll detail a means of creating an '''encrypted''' USB flash drive that will then contain the keys for unlocking and booting your systems. The encrypted USB flash drive containing the system keys will be what you ''have'' and the ''passphrase'' to unlock the encrypted USB flash drive to retrieve the system keys will be what you ''know''. | Two Form Factor authentication in general relies on something you ''have'' and something you ''know''. I'll detail a means of creating an '''encrypted''' USB flash drive that will then contain the keys for unlocking and booting your systems. The encrypted USB flash drive containing the system keys will be what you ''have'' and the ''passphrase'' to unlock the encrypted USB flash drive to retrieve the system keys will be what you ''know''. | ||
Feisty Fawn 7.04 (Server,Desktop,Alternative) do not offer first time installation to an encrypted volume. There are alternative methods available to install Feisty Fawn onto an encrypted whole disk system. | Feisty Fawn 7.04 (Server,Desktop,Alternative) do not offer first time installation to an encrypted volume. There are alternative methods available to install Feisty Fawn onto an encrypted whole disk system. | ||
The cryptsetup scripts are capable of utilizing a '''non-encrypted''' USB flash drive. However, they are not coded yet to handle twoform authentication which requires additional user prompting. | The cryptsetup scripts are capable of utilizing a '''non-encrypted''' USB flash drive. However, they are not coded yet to handle twoform authentication which requires additional user prompting. | ||
This 'howto' details creating an encrypted USB flash drive, installing Feisty Fawn onto an encrypted whole disk system and finally configuring the two form factor authentication for the system startup using the encrypted USB flash drive. | This 'howto' details creating an encrypted USB flash drive, installing Feisty Fawn onto an encrypted whole disk system and finally configuring the two form factor authentication for the system startup using the encrypted USB flash drive. | ||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
|Consider these excellent documents for related encryption information and methods.||[[FullSearch(cryptsetup)]] | |Consider these excellent documents for related encryption information and methods.||[[FullSearch(cryptsetup)]] | ||
|} | |} | ||
== Install Feisty Fawn 7.04 SERVER on Temporary Partition == | == Install Feisty Fawn 7.04 SERVER on Temporary Partition == | ||
Even if you intend to use Feisty Fawn as a 'desktop' system, installing the server version first reduces installation times, minimizes the disk consumed and avoids the initial clutter of a gui desktop for the encrypted setup. There is an included optional step towards the very end which will install the ubuntu-desktop. | Even if you intend to use Feisty Fawn as a 'desktop' system, installing the server version first reduces installation times, minimizes the disk consumed and avoids the initial clutter of a gui desktop for the encrypted setup. There is an included optional step towards the very end which will install the ubuntu-desktop. | ||
The boot volume /boot must be unecrypted as grub can't handle decrypting a boot partition. So, create 3 primary partitions. Use the /dev/sda2 partition as the ''tempoary'' unencrypted root / volume to begin. /dev/sda2 will later be used for the encrypted swap partition. So, size /dev/sda2 to accomodate the minimum server installation ~600MB and the maximum of what you want set for swap. (Rule of thumb 1.5 to 2 times physical RAM). | The boot volume /boot must be unecrypted as grub can't handle decrypting a boot partition. So, create 3 primary partitions. Use the /dev/sda2 partition as the ''tempoary'' unencrypted root / volume to begin. /dev/sda2 will later be used for the encrypted swap partition. So, size /dev/sda2 to accomodate the minimum server installation ~600MB and the maximum of what you want set for swap. (Rule of thumb 1.5 to 2 times physical RAM). | ||
Pre-Encrypt Partitions: | Pre-Encrypt Partitions: | ||
<pre><nowiki> | <pre><nowiki> | ||
第33行: | 第21行: | ||
/dev/sda3 AllRemaingSpace primary unused | /dev/sda3 AllRemaingSpace primary unused | ||
</nowiki></pre> | </nowiki></pre> | ||
'''Note:''' You will be ''root'' for all commands. i.e., ''$ sudo -i'' after each login. | '''Note:''' You will be ''root'' for all commands. i.e., ''$ sudo -i'' after each login. | ||
=== Install Base === | === Install Base === | ||
There is a wealth of documentation for installing Ubuntu Feisty Fawn 7.04 Server. Please refer to those documents if neccessary. | There is a wealth of documentation for installing Ubuntu Feisty Fawn 7.04 Server. Please refer to those documents if neccessary. | ||
=== Update, Install Cryptsetup and LVM2, Upgrade === | === Update, Install Cryptsetup and LVM2, Upgrade === | ||
With the base installation completed login and update the package listing. Install '''cryptsetup''' and '''lvm2''' for creating and managing the LUKS whole disk encryption. | With the base installation completed login and update the package listing. Install '''cryptsetup''' and '''lvm2''' for creating and managing the LUKS whole disk encryption. | ||
==== Setup APT ==== | ==== Setup APT ==== | ||
Uncomment the deb resources for ''multiverse'' and ''universe''. | Uncomment the deb resources for ''multiverse'' and ''universe''. | ||
<pre><nowiki> | <pre><nowiki> | ||
vi /etc/apt/sources.list | vi /etc/apt/sources.list | ||
</nowiki></pre> | </nowiki></pre> | ||
==== Update and Reboot ==== | ==== Update and Reboot ==== | ||
<pre><nowiki> | <pre><nowiki> | ||
apt-get update | apt-get update | ||
第60行: | 第38行: | ||
reboot | reboot | ||
</nowiki></pre> | </nowiki></pre> | ||
== Creating Encrypeted USB Flash Drive == | == Creating Encrypeted USB Flash Drive == | ||
=== Create UDEV Mapping === | === Create UDEV Mapping === | ||
Each computer system will report and mount your USB flash drive differently. e.g., /dev/sda or /dev/sdb | Each computer system will report and mount your USB flash drive differently. e.g., /dev/sda or /dev/sdb | ||
To avoid constant changes in the cryptsetup's initramfs scripts which rely on the the USB flash drive create a ''common'' device name for your USB flash drive on each system you intend to lock. | To avoid constant changes in the cryptsetup's initramfs scripts which rely on the the USB flash drive create a ''common'' device name for your USB flash drive on each system you intend to lock. | ||
==== Find USB Flash Drive Serial ID ==== | ==== Find USB Flash Drive Serial ID ==== | ||
Insert the USB flash drive you will be using. The USB will trigger a udev scan and will report the deivce name to the console. e.g., /dev/sdb. Armed with the device retrieve the device information and look for your USB flash drive manufacturer and associated serial number. | Insert the USB flash drive you will be using. The USB will trigger a udev scan and will report the deivce name to the console. e.g., /dev/sdb. Armed with the device retrieve the device information and look for your USB flash drive manufacturer and associated serial number. | ||
<pre><nowiki> | <pre><nowiki> | ||
udevinfo -a -p $(udevinfo -q path -n /dev/sdb) | udevinfo -a -p $(udevinfo -q path -n /dev/sdb) | ||
第80行: | 第52行: | ||
... | ... | ||
</nowiki></pre> | </nowiki></pre> | ||
==== Add USB Flash Drive Serial ID to UDEV Rules ==== | ==== Add USB Flash Drive Serial ID to UDEV Rules ==== | ||
Add the USB flash drive serial id and the common name to `/etc/udev/rules.d/65-persistent-storage.rules` and rescan the devices. The modified cryptsetup scripts use `/dev/cryptKey`. If you change the naming you'll need to modify those scripts. | Add the USB flash drive serial id and the common name to `/etc/udev/rules.d/65-persistent-storage.rules` and rescan the devices. The modified cryptsetup scripts use `/dev/cryptKey`. If you change the naming you'll need to modify those scripts. | ||
<pre><nowiki> | <pre><nowiki> | ||
vi /etc/udev/rules.d/65-persistent-storage.rules | vi /etc/udev/rules.d/65-persistent-storage.rules | ||
</nowiki></pre> | </nowiki></pre> | ||
Insert the following somewhere before the end label `LABEL="persistent_storage_end"`. | Insert the following somewhere before the end label `LABEL="persistent_storage_end"`. | ||
<pre><nowiki> | <pre><nowiki> | ||
KERNEL=="sd*|sr*|st*", ATTRS{serial}=="######################"", SYMLINK+="cryptKey%n" | KERNEL=="sd*|sr*|st*", ATTRS{serial}=="######################"", SYMLINK+="cryptKey%n" | ||
</nowiki></pre> | </nowiki></pre> | ||
Trigger and look for the common name device for your USB flash drive. | Trigger and look for the common name device for your USB flash drive. | ||
<pre><nowiki> | <pre><nowiki> | ||
第99行: | 第66行: | ||
ls /dev/cryptKey | ls /dev/cryptKey | ||
</nowiki></pre> | </nowiki></pre> | ||
The list command should have successfully returned `/dev/cryptKey`. Do not continue until this is correct. | The list command should have successfully returned `/dev/cryptKey`. Do not continue until this is correct. | ||
==== Create LUKS Partition with EXT2 Filesystem ==== | ==== Create LUKS Partition with EXT2 Filesystem ==== | ||
<pre><nowiki> | <pre><nowiki> | ||
modprobe dm_crypt | modprobe dm_crypt | ||
第112行: | 第76行: | ||
mount -t ext2 /dev/mapper/cryptkeys /mnt/cryptkeys | mount -t ext2 /dev/mapper/cryptkeys /mnt/cryptkeys | ||
</nowiki></pre> | </nowiki></pre> | ||
==== Generate Random Machine Key ==== | ==== Generate Random Machine Key ==== | ||
Create a ''random'' key that will eventually be used to lock/unlock this system and store it on the opened and mounted encrypted USB flash drive. Replace '''#FILENAME''' with the name of your choosing. It will be used in later system configurations. | Create a ''random'' key that will eventually be used to lock/unlock this system and store it on the opened and mounted encrypted USB flash drive. Replace '''#FILENAME''' with the name of your choosing. It will be used in later system configurations. | ||
<pre><nowiki> | <pre><nowiki> | ||
cd /mnt/cryptkeys | cd /mnt/cryptkeys | ||
dd if=/dev/random of=#FILENAME.luks bs=1 count=256 | dd if=/dev/random of=#FILENAME.luks bs=1 count=256 | ||
</nowiki></pre> | </nowiki></pre> | ||
== Install usbcryptkey Script == | == Install usbcryptkey Script == | ||
`usbcryptkey` will ease the mounting/unmounting of the LUKS encrypted USB flash drive. It will be called during the `initramfs/local-top/cryptroot` call at startup. | `usbcryptkey` will ease the mounting/unmounting of the LUKS encrypted USB flash drive. It will be called during the `initramfs/local-top/cryptroot` call at startup. | ||
<pre><nowiki> | <pre><nowiki> | ||
vi /bin/usbcryptkey | vi /bin/usbcryptkey | ||
</nowiki></pre> | </nowiki></pre> | ||
<pre><nowiki> | <pre><nowiki> | ||
#!/bin/sh | #!/bin/sh | ||
# CryptKey value sent from cryptroot | # CryptKey value sent from cryptroot | ||
# Contains the devicename | # Contains the devicename | ||
# LUKS Options | # LUKS Options | ||
# Could pull from cryptroot but this allows for the 'USB Key' to be setup | # Could pull from cryptroot but this allows for the 'USB Key' to be setup | ||
# differently than the crypt volumes it is unlocking. | # differently than the crypt volumes it is unlocking. | ||
LUKS_OPTS="--readonly --cipher=aes-cbc-essiv:sha256 --hash=sha512 --key-size=256" | LUKS_OPTS="--readonly --cipher=aes-cbc-essiv:sha256 --hash=sha512 --key-size=256" | ||
# Get the device name | # Get the device name | ||
DEVNAME=$1 | DEVNAME=$1 | ||
# Likely not needed if called from cryptroot correctly | # Likely not needed if called from cryptroot correctly | ||
# but it doesn't hurt. | # but it doesn't hurt. | ||
modprobe -q dm_crypt | modprobe -q dm_crypt | ||
mount_usbcryptkey () | mount_usbcryptkey () | ||
{ | { | ||
# Wait for the USB Device | # Wait for the USB Device | ||
# PREREQ udev for cryptroot | # PREREQ udev for cryptroot | ||
第163行: | 第114行: | ||
fi | fi | ||
done | done | ||
# Check device is LUKS format | # Check device is LUKS format | ||
cryptsetup isLuks $DEVNAME | cryptsetup isLuks $DEVNAME | ||
第170行: | 第120行: | ||
exit 1 | exit 1 | ||
fi | fi | ||
# Open the USB key | # Open the USB key | ||
count=0 | count=0 | ||
第184行: | 第133行: | ||
fi | fi | ||
done | done | ||
# If it didn't open don't try anything else. | # If it didn't open don't try anything else. | ||
if [ $openstat -ne 0 ]; then | if [ $openstat -ne 0 ]; then | ||
exit $openstat | exit $openstat | ||
fi | fi | ||
# Mount the opened USB | # Mount the opened USB | ||
if [ ! -d /mnt/cryptkeys ]; then | if [ ! -d /mnt/cryptkeys ]; then | ||
mkdir -p -m 0700 /mnt/cryptkeys > /dev/null 2>&1 | mkdir -p -m 0700 /mnt/cryptkeys > /dev/null 2>&1 | ||
fi | fi | ||
count=0 | count=0 | ||
while [ $count -lt 3 ]; do | while [ $count -lt 3 ]; do | ||
第206行: | 第152行: | ||
done | done | ||
} | } | ||
umount_usbcryptkey () | umount_usbcryptkey () | ||
{ | { | ||
第212行: | 第157行: | ||
umount /mnt/cryptkeys > /dev/null 2>&1 | umount /mnt/cryptkeys > /dev/null 2>&1 | ||
cryptsetup luksClose theKeys > /dev/null 2>&1 | cryptsetup luksClose theKeys > /dev/null 2>&1 | ||
} | } | ||
# Begin work... | # Begin work... | ||
# If the device is mounted UNMOUNT it. | # If the device is mounted UNMOUNT it. | ||
# If the device is not mounted MOUNT it. | # If the device is not mounted MOUNT it. | ||
if [ -z $1 ]; then | if [ -z $1 ]; then | ||
echo "No device specified!" | echo "No device specified!" | ||
第224行: | 第166行: | ||
exit 1; | exit 1; | ||
fi | fi | ||
if [ -r /dev/mapper/theKeys ]; then | if [ -r /dev/mapper/theKeys ]; then | ||
umount_usbcryptkey | umount_usbcryptkey | ||
第233行: | 第174行: | ||
fi | fi | ||
</nowiki></pre> | </nowiki></pre> | ||
Now make the file executable. | Now make the file executable. | ||
<pre><nowiki> | <pre><nowiki> | ||
chmod 750 /bin/usbcryptkey | chmod 750 /bin/usbcryptkey | ||
</nowiki></pre> | </nowiki></pre> | ||
== Modify Cryptsetup Scripts == | == Modify Cryptsetup Scripts == | ||
You should have a bootable, stable server installation and and encrypted USB flash drive completed. The Feisty Fawn 7.04 cryptsetup scripts do not contain enough code to address an interactive two form factor authentication. A set of scripts must be modified. | You should have a bootable, stable server installation and and encrypted USB flash drive completed. The Feisty Fawn 7.04 cryptsetup scripts do not contain enough code to address an interactive two form factor authentication. A set of scripts must be modified. | ||
=== /usr/share/initramfs-tools/hooks/cryptroot === | === /usr/share/initramfs-tools/hooks/cryptroot === | ||
Copy the diff into a temporary patch file and apply. | Copy the diff into a temporary patch file and apply. | ||
<pre><nowiki> | <pre><nowiki> | ||
vi /tmp/patch1 | vi /tmp/patch1 | ||
</nowiki></pre> | </nowiki></pre> | ||
<pre><nowiki> | <pre><nowiki> | ||
--- cryptroot.orig 2007-04-14 17:52:22.000000000 -0500 | --- cryptroot.orig 2007-04-14 17:52:22.000000000 -0500 | ||
第260行: | 第193行: | ||
OPTIONS="" | OPTIONS="" | ||
+ TWOFORM=0 | + TWOFORM=0 | ||
if [ -z "$target" ]; then | if [ -z "$target" ]; then | ||
echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2 | echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2 | ||
第287行: | 第219行: | ||
+ fi | + fi | ||
} | } | ||
get_device_modules() { | get_device_modules() { | ||
</nowiki></pre> | </nowiki></pre> | ||
<pre><nowiki> | <pre><nowiki> | ||
patch -b -l /usr/share/initramfs-tools/hooks/cryptroot < /tmp/patch1 | patch -b -l /usr/share/initramfs-tools/hooks/cryptroot < /tmp/patch1 | ||
</nowiki></pre> | </nowiki></pre> | ||
=== /usr/share/initramfs-tools/scripts/local-top/cryptroot === | === /usr/share/initramfs-tools/scripts/local-top/cryptroot === | ||
Copy the diff into a temporary patch file and apply. ''vgchange doesn't exist in the initramfs so but lvm does.'' | Copy the diff into a temporary patch file and apply. ''vgchange doesn't exist in the initramfs so but lvm does.'' | ||
<pre><nowiki> | <pre><nowiki> | ||
vi /tmp/patch2 | vi /tmp/patch2 | ||
</nowiki></pre> | </nowiki></pre> | ||
<pre><nowiki> | <pre><nowiki> | ||
--- cryptroot.orig 2007-04-14 17:52:22.000000000 -0500 | --- cryptroot.orig 2007-04-14 17:52:22.000000000 -0500 | ||
第311行: | 第237行: | ||
cryptkey="" # This is only used as an argument to an eventual keyscript | cryptkey="" # This is only used as an argument to an eventual keyscript | ||
+ crypttwoform="" # TwoForm factor | + crypttwoform="" # TwoForm factor | ||
local IFS=" ," | local IFS=" ," | ||
for x in $cryptopts; do | for x in $cryptopts; do | ||
第326行: | 第251行: | ||
@@ -89,7 +93,7 @@ | @@ -89,7 +93,7 @@ | ||
vg="${1#/dev/mapper/}" | vg="${1#/dev/mapper/}" | ||
# Sanity checks | # Sanity checks | ||
- if [ ! -x /sbin/vgchange ] || [ "$vg" = "$1" ]; then | - if [ ! -x /sbin/vgchange ] || [ "$vg" = "$1" ]; then | ||
第332行: | 第256行: | ||
return 1 | return 1 | ||
fi | fi | ||
@@ -104,7 +108,7 @@ | @@ -104,7 +108,7 @@ | ||
# Reduce padded --'s to -'s | # Reduce padded --'s to -'s | ||
vg=$(echo ${vg} | sed -e 's#--#-#g') | vg=$(echo ${vg} | sed -e 's#--#-#g') | ||
- vgchange -ay ${vg} | - vgchange -ay ${vg} | ||
+ lvm vgchange -ay ${vg} | + lvm vgchange -ay ${vg} | ||
return $? | return $? | ||
} | } | ||
@@ -189,6 +193,7 @@ | @@ -189,6 +193,7 @@ | ||
# Try to get a satisfactory password three times | # Try to get a satisfactory password three times | ||
count=0 | count=0 | ||
第349行: | 第269行: | ||
while [ $count -lt 3 ]; do | while [ $count -lt 3 ]; do | ||
count=$(( $count + 1 )) | count=$(( $count + 1 )) | ||
@@ -200,23 +205,38 @@ | @@ -200,23 +205,38 @@ | ||
sleep 2 | sleep 2 | ||
fi | fi | ||
- if [ -n "$cryptkeyscript" ]; then | - if [ -n "$cryptkeyscript" ]; then | ||
+ if [ -n "$cryptkeyscript" ] && [ "$ckscon" = "y" ]; then | + if [ -n "$cryptkeyscript" ] && [ "$ckscon" = "y" ]; then | ||
第371行: | 第289行: | ||
$cryptcreate < /dev/console | $cryptcreate < /dev/console | ||
fi | fi | ||
if [ $? -ne 0 ]; then | if [ $? -ne 0 ]; then | ||
echo "cryptsetup: cryptsetup failed, bad password or options?" | echo "cryptsetup: cryptsetup failed, bad password or options?" | ||
第389行: | 第306行: | ||
+ $cryptkeyscript $cryptkey | + $cryptkeyscript $cryptkey | ||
fi | fi | ||
FSTYPE='' | FSTYPE='' | ||
</nowiki></pre> | </nowiki></pre> | ||
<pre><nowiki> | <pre><nowiki> | ||
patch -b -l /usr/share/initramfs-tools/scripts/local-top/cryptroot < /tmp/patch2 | patch -b -l /usr/share/initramfs-tools/scripts/local-top/cryptroot < /tmp/patch2 | ||
</nowiki></pre> | </nowiki></pre> | ||
=== /usr/share/initramfs-tools/scripts/init-bottom/udev === | === /usr/share/initramfs-tools/scripts/init-bottom/udev === | ||
There is a quirk whereby the ''lvm-on-luks'' mappings are overwritten with the `/dev` filesystem is remounted for read write. We need `mapper` for the lvm mounts to funtion on boot. | There is a quirk whereby the ''lvm-on-luks'' mappings are overwritten with the `/dev` filesystem is remounted for read write. We need `mapper` for the lvm mounts to funtion on boot. | ||
<pre><nowiki> | <pre><nowiki> | ||
vi /tmp/patch3 | vi /tmp/patch3 | ||
</nowiki></pre> | </nowiki></pre> | ||
<pre><nowiki> | <pre><nowiki> | ||
--- udev.orig 2007-04-10 09:03:36.000000000 -0500 | --- udev.orig 2007-04-10 09:03:36.000000000 -0500 | ||
第416行: | 第327行: | ||
mount -n -o move /dev ${rootmnt}/dev | mount -n -o move /dev ${rootmnt}/dev | ||
</nowiki></pre> | </nowiki></pre> | ||
<pre><nowiki> | <pre><nowiki> | ||
patch -b -l /usr/share/initramfs-tools/scripts/init-bottom/udev < /tmp/patch3 | patch -b -l /usr/share/initramfs-tools/scripts/init-bottom/udev < /tmp/patch3 | ||
</nowiki></pre> | </nowiki></pre> | ||
After patching, if backups were created, remove them so as not to 'corrupt' the initramfs build. | After patching, if backups were created, remove them so as not to 'corrupt' the initramfs build. | ||
<pre><nowiki> | <pre><nowiki> | ||
rm /usr/share/initramfs-tools/scripts/local-top/cryptroot.orig | rm /usr/share/initramfs-tools/scripts/local-top/cryptroot.orig | ||
第428行: | 第336行: | ||
rm /usr/share/initramfs-tools/scripts/init-bottom/udev.orig | rm /usr/share/initramfs-tools/scripts/init-bottom/udev.orig | ||
</nowiki></pre> | </nowiki></pre> | ||
== Create LUKS/LVM Volumes on Unused Partition == | == Create LUKS/LVM Volumes on Unused Partition == | ||
=== Randomize the Unused Partition === | === Randomize the Unused Partition === | ||
To obscure use of the volume randomize the partition befor using it. '''Caution:''' `urandom` is not as good as `random` but will cut the time significantly. '''Note:''' This will take a considerable amount of time and is proporational to the volume size. e.g., Radomizing 1.5TB ~2Days. | To obscure use of the volume randomize the partition befor using it. '''Caution:''' `urandom` is not as good as `random` but will cut the time significantly. '''Note:''' This will take a considerable amount of time and is proporational to the volume size. e.g., Radomizing 1.5TB ~2Days. | ||
<pre><nowiki> | <pre><nowiki> | ||
dd if=/dev/urandom of=/dev/sda3 | dd if=/dev/urandom of=/dev/sda3 | ||
</nowiki></pre> | </nowiki></pre> | ||
Go find something fun to do outside! | Go find something fun to do outside! | ||
=== Create and Open LUKS Device === | === Create and Open LUKS Device === | ||
'''Note:''' I've used the largest cipher and hash available as well as key-size. The defaults are smaller. | '''Note:''' I've used the largest cipher and hash available as well as key-size. The defaults are smaller. | ||
<pre><nowiki> | <pre><nowiki> | ||
cryptsetup luksFormat --hash=sha512 --cipher=aes-cbc-essiv:sha256 --key-size=256 /dev/sda3 | cryptsetup luksFormat --hash=sha512 --cipher=aes-cbc-essiv:sha256 --key-size=256 /dev/sda3 | ||
</nowiki></pre> | </nowiki></pre> | ||
Edit the crypttab. The lvm option triggers the lvm on luks during startup. This will setup the LUKS whole disk encryption with an initial passphrase. Once this works the Two Form Factor configuration follows. | Edit the crypttab. The lvm option triggers the lvm on luks during startup. This will setup the LUKS whole disk encryption with an initial passphrase. Once this works the Two Form Factor configuration follows. | ||
<pre><nowiki> | <pre><nowiki> | ||
echo cryptVault /dev/sda3 none luks,cipher=aes-cbc-essiv:sha256,hash=sha512,lvm=vg00-lvroot >> /etc/crypttab | echo cryptVault /dev/sda3 none luks,cipher=aes-cbc-essiv:sha256,hash=sha512,lvm=vg00-lvroot >> /etc/crypttab | ||
</nowiki></pre> | </nowiki></pre> | ||
Open the LUKS partition. | Open the LUKS partition. | ||
<pre><nowiki> | <pre><nowiki> | ||
cryptsetup luksOpen /dev/sda3 cryptVault | cryptsetup luksOpen /dev/sda3 cryptVault | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Setup LVM Data Partitions === | === Setup LVM Data Partitions === | ||
Season to taste. The volume sizes will be relevant to your system design goals. '''Note: ''' When later converting to ''ubuntu-desktop'' apt required more space in /var then I had originally allocated. And rather than re-configure apt to use a different cache I just resized /var to +1024MB. The `lvsnap` volume is for creating snapshot volumes for backup purposes. It will not be referenced again in this document. It is there as a reminder to allocate for it before you slice and dice all avialable disk space. [todo: create communityDoc for BackupWithLVMSnaphot] | Season to taste. The volume sizes will be relevant to your system design goals. '''Note: ''' When later converting to ''ubuntu-desktop'' apt required more space in /var then I had originally allocated. And rather than re-configure apt to use a different cache I just resized /var to +1024MB. The `lvsnap` volume is for creating snapshot volumes for backup purposes. It will not be referenced again in this document. It is there as a reminder to allocate for it before you slice and dice all avialable disk space. [todo: create communityDoc for BackupWithLVMSnaphot] | ||
'''Note:''' The lvm volumes ''MUST'' be of the form `/dev/mapper/vg##-name`. The cryptroot script relies on this naming convention to determine whether or not a volume is LVM and to select the volume group name to activate. | '''Note:''' The lvm volumes ''MUST'' be of the form `/dev/mapper/vg##-name`. The cryptroot script relies on this naming convention to determine whether or not a volume is LVM and to select the volume group name to activate. | ||
<pre><nowiki> | <pre><nowiki> | ||
pvcreate /dev/mapper/cryptVault | pvcreate /dev/mapper/cryptVault | ||
第477行: | 第369行: | ||
lvcreate -L512M -nlvsnap vg00 | lvcreate -L512M -nlvsnap vg00 | ||
</nowiki></pre> | </nowiki></pre> | ||
'''Tip:''' If you will be allocating the remaining free extents to a volume do '''pvdisplay''' and find the '''Free PE''' and use that value in `ĺvcreate -l### -n#SOMEPART` | '''Tip:''' If you will be allocating the remaining free extents to a volume do '''pvdisplay''' and find the '''Free PE''' and use that value in `ĺvcreate -l### -n#SOMEPART` | ||
=== Apply Filesystems to the Partitions === | === Apply Filesystems to the Partitions === | ||
<pre><nowiki> | <pre><nowiki> | ||
mkfs.ext3 /dev/vg00/lvroot | mkfs.ext3 /dev/vg00/lvroot | ||
第489行: | 第378行: | ||
mkfs.ext3 /dev/vg00/lvsnap | mkfs.ext3 /dev/vg00/lvsnap | ||
</nowiki></pre> | </nowiki></pre> | ||
== Migrate Temporary Installation to Encrypted Volumes == | == Migrate Temporary Installation to Encrypted Volumes == | ||
=== Make Mount Points and Mount LUKS Encrypted LVM Volumes === | === Make Mount Points and Mount LUKS Encrypted LVM Volumes === | ||
<pre><nowiki> | <pre><nowiki> | ||
mkdir /tmp/croot | mkdir /tmp/croot | ||
第501行: | 第387行: | ||
mkdir /tmp/croot/var | mkdir /tmp/croot/var | ||
</nowiki></pre> | </nowiki></pre> | ||
'''Note:''' Due to an Ubuntu quirk `/var/run` and `/var/lock` must exist on the root filesystem during bootstrap/startup. Since we're splitting `/var` from the start we need to kludge for that behavior. | '''Note:''' Due to an Ubuntu quirk `/var/run` and `/var/lock` must exist on the root filesystem during bootstrap/startup. Since we're splitting `/var` from the start we need to kludge for that behavior. | ||
<pre><nowiki> | <pre><nowiki> | ||
$ mkdir -m 0700 /tmp/croot/var/run | $ mkdir -m 0700 /tmp/croot/var/run | ||
$ mkdir -m 0700 /tmp/croot/var/lock | $ mkdir -m 0700 /tmp/croot/var/lock | ||
</nowiki></pre> | </nowiki></pre> | ||
<pre><nowiki> | <pre><nowiki> | ||
$ mount /dev/vg00/lvtmp /tmp/croot/tmp | $ mount /dev/vg00/lvtmp /tmp/croot/tmp | ||
第514行: | 第397行: | ||
$ mount /dev/vg00/lvhome /tmp/croot/home | $ mount /dev/vg00/lvhome /tmp/croot/home | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Copy the Temporary Base Installation to the Encrypted Volumes === | === Copy the Temporary Base Installation to the Encrypted Volumes === | ||
<pre><nowiki> | <pre><nowiki> | ||
cp -ax / /tmp/croot | cp -ax / /tmp/croot | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Mount Special Devices === | === Mount Special Devices === | ||
Mount the following special devices so that when we `chroot` everything will work. | Mount the following special devices so that when we `chroot` everything will work. | ||
<pre><nowiki> | <pre><nowiki> | ||
mount -t proc /proc /tmp/croot/proc | mount -t proc /proc /tmp/croot/proc | ||
第529行: | 第408行: | ||
mount /dev/sda1 /tmp/croot/boot | mount /dev/sda1 /tmp/croot/boot | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Change ROOT === | === Change ROOT === | ||
<pre><nowiki> | <pre><nowiki> | ||
chroot /tmp/croot | chroot /tmp/croot | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Edit FSTAB === | === Edit FSTAB === | ||
You should successfully be in the chroot environment and it will be nearly indistinguishable from the first. Don't get confused. Edit the fstab to reflect the desired filesystem layout. Season to taste. | You should successfully be in the chroot environment and it will be nearly indistinguishable from the first. Don't get confused. Edit the fstab to reflect the desired filesystem layout. Season to taste. | ||
'''Note:''' The lvm volumes ''MUST'' be of the form `/dev/mapper/vg##-name`. The cryptroot script relies on this naming convention to determine whether or not a volume is LVM and to select the volume group name to activate. Also, your fstab configuration listing will likely be different then the one listed. Season to taste. | '''Note:''' The lvm volumes ''MUST'' be of the form `/dev/mapper/vg##-name`. The cryptroot script relies on this naming convention to determine whether or not a volume is LVM and to select the volume group name to activate. Also, your fstab configuration listing will likely be different then the one listed. Season to taste. | ||
<pre><nowiki> | <pre><nowiki> | ||
vi /etc/fstab | vi /etc/fstab | ||
</nowiki></pre> | </nowiki></pre> | ||
<pre><nowiki> | <pre><nowiki> | ||
# /etc/fstab: static file system information. | # /etc/fstab: static file system information. | ||
第557行: | 第430行: | ||
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0 | /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0 | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Edit /boot/grub/menu.lst === | === Edit /boot/grub/menu.lst === | ||
Edit grub/menu.lst and update the ''kopt'' value. Also, do yourself a favor and just turn splash off. It is nice but for now just complicates the LUKS passphrase prompting on startup. | Edit grub/menu.lst and update the ''kopt'' value. Also, do yourself a favor and just turn splash off. It is nice but for now just complicates the LUKS passphrase prompting on startup. | ||
<pre><nowiki> | <pre><nowiki> | ||
vi /boot/grub/menu.lst | vi /boot/grub/menu.lst | ||
</nowiki></pre> | </nowiki></pre> | ||
<pre><nowiki> | <pre><nowiki> | ||
# kopt=root=/dev/mapper/vg00-lvroot ro | # kopt=root=/dev/mapper/vg00-lvroot ro | ||
第571行: | 第440行: | ||
# defoptions=quiet | # defoptions=quiet | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Update initramfs Image === | === Update initramfs Image === | ||
It is vital to have the ''FSTAB'' and ''CRYPTROOT'' files properly edited. The initramfs scripts for setting up the crypt initrd rely on the settings in these files to generate the appropriate image. | It is vital to have the ''FSTAB'' and ''CRYPTROOT'' files properly edited. The initramfs scripts for setting up the crypt initrd rely on the settings in these files to generate the appropriate image. | ||
<pre><nowiki> | <pre><nowiki> | ||
update-initramfs -u ALL | update-initramfs -u ALL | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Update GRUB Boot Menu === | === Update GRUB Boot Menu === | ||
To get the correct and updated `menu.lst` stanza on the bootloader. | To get the correct and updated `menu.lst` stanza on the bootloader. | ||
<pre><nowiki> | <pre><nowiki> | ||
update-grub | update-grub | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Exit CHROOT === | === Exit CHROOT === | ||
If satisfied with the system setup and crypt changes exit out of the chroot environment. | If satisfied with the system setup and crypt changes exit out of the chroot environment. | ||
<pre><nowiki> | <pre><nowiki> | ||
exit | exit | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Unmount the New Encrypted Volumes === | === Unmount the New Encrypted Volumes === | ||
<pre><nowiki> | <pre><nowiki> | ||
cd / | cd / | ||
第609行: | 第467行: | ||
vgchange -a n vg00 | vgchange -a n vg00 | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Reboot === | === Reboot === | ||
<pre><nowiki> | <pre><nowiki> | ||
reboot | reboot | ||
</nowiki></pre> | </nowiki></pre> | ||
== Single Form Factor LUKS Whole Disk Encrypted Startup == | == Single Form Factor LUKS Whole Disk Encrypted Startup == | ||
You'll be prompted for the passphrase you used to create the LUKS cryptsetup on `/dev/sda3`. If successfull the system should boot without errors. | You'll be prompted for the passphrase you used to create the LUKS cryptsetup on `/dev/sda3`. If successfull the system should boot without errors. | ||
If you do encounter a problem: | If you do encounter a problem: | ||
1. Reboot | 1. Reboot | ||
2. Pause grub w/ <ESC> and edit kernel stanza and change `/dev/mapper/vg00-lvroot` to `/dev/sda2` ''(Remember we haven't deleted the un-encrypted installation yet.)'' | 2. Pause grub w/ <ESC> and edit kernel stanza and change `/dev/mapper/vg00-lvroot` to `/dev/sda2` ''(Remember we haven't deleted the un-encrypted installation yet.)'' | ||
3. Boot to `/dev/sda2` | 3. Boot to `/dev/sda2` | ||
4. Cryptsetup luksOpen `/dev/sda3` | 4. Cryptsetup luksOpen `/dev/sda3` | ||
5. Remount the filesystems (Refer to previous step: `Migrate Temporary Installation to Encrypted Volumes`.) | 5. Remount the filesystems (Refer to previous step: `Migrate Temporary Installation to Encrypted Volumes`.) | ||
6. Skip the copy step | 6. Skip the copy step | ||
7. `chroot /tmp/croot` | 7. `chroot /tmp/croot` | ||
8. Make your changes and try again | 8. Make your changes and try again | ||
---------------------------------- | ---------------------------------- | ||
== Setup Two Form Factor LUKS Whole Disk Encryption == | == Setup Two Form Factor LUKS Whole Disk Encryption == | ||
If you've successfully booted into the single form factor LUKS encrypted whole disk installation then you can continue setting up the system with the USB cryptKey for Two Form Factor authentication. | If you've successfully booted into the single form factor LUKS encrypted whole disk installation then you can continue setting up the system with the USB cryptKey for Two Form Factor authentication. | ||
=== Edit /etc/crypttab === | === Edit /etc/crypttab === | ||
Edit the `/etc/crypttab` file to reflect the items for Two Form authentication. Use the '''#FILENAME.luks''' from the random key step. Include a path if your encrypted USB flash drive filesystem has a directory structure that you are using to manage files. e.g., Under `/mnt/cryptkey/serverkeys` or `/mnt/cryptkey/laptopkey` etc. The '''#PATH''' is relative to the mount point. So, #PATH would be `serverkeys/#FILENAME.luks` or `laptopkey/#FILENAME.luks` | Edit the `/etc/crypttab` file to reflect the items for Two Form authentication. Use the '''#FILENAME.luks''' from the random key step. Include a path if your encrypted USB flash drive filesystem has a directory structure that you are using to manage files. e.g., Under `/mnt/cryptkey/serverkeys` or `/mnt/cryptkey/laptopkey` etc. The '''#PATH''' is relative to the mount point. So, #PATH would be `serverkeys/#FILENAME.luks` or `laptopkey/#FILENAME.luks` | ||
<pre><nowiki> | <pre><nowiki> | ||
echo cryptVault /dev/sda3 /dev/cryptKey luks,cipher=aes-cbc-essiv:sha256,hash=sha512,lvm=vg00-lvroot,keyscript=/bin/usbcryptkey,twoform=/#PATH#FILENAME.luks >> /etc/crypttab | echo cryptVault /dev/sda3 /dev/cryptKey luks,cipher=aes-cbc-essiv:sha256,hash=sha512,lvm=vg00-lvroot,keyscript=/bin/usbcryptkey,twoform=/#PATH#FILENAME.luks >> /etc/crypttab | ||
</nowiki></pre> | </nowiki></pre> | ||
'''DELETE the original cryptValut entry which doesn't depend on the USB cryptKey''' | '''DELETE the original cryptValut entry which doesn't depend on the USB cryptKey''' | ||
=== Open USB cryptKey === | === Open USB cryptKey === | ||
The `usbcryptkey` script should exist in `/bin`. ''If you have changed the location for `usbcryptkey` then you'll need to accomodate for that change in the `/etc/crypttab` file you just modified.'' | The `usbcryptkey` script should exist in `/bin`. ''If you have changed the location for `usbcryptkey` then you'll need to accomodate for that change in the `/etc/crypttab` file you just modified.'' | ||
If not currently mounted the script will prompt for the passphrase and mount the device. | If not currently mounted the script will prompt for the passphrase and mount the device. | ||
<pre><nowiki> | <pre><nowiki> | ||
usbcryptkey /dev/cryptKey | usbcryptkey /dev/cryptKey | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Add Random Generated Key === | === Add Random Generated Key === | ||
Add the new key file to the root `cryptVault`. This should add to Slot 1. | Add the new key file to the root `cryptVault`. This should add to Slot 1. | ||
When you add the key you'll be prompted for a passphrase. The passphrase is the one used when setting up `/dev/sda3` ''not'' the passphrase used for the USB cryptKey. | When you add the key you'll be prompted for a passphrase. The passphrase is the one used when setting up `/dev/sda3` ''not'' the passphrase used for the USB cryptKey. | ||
<pre><nowiki> | <pre><nowiki> | ||
cryptsetup luksAddKey /dev/sda3 /mnt/cryptkeys/#PATH#FILENAME.luks | cryptsetup luksAddKey /dev/sda3 /mnt/cryptkeys/#PATH#FILENAME.luks | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Update initramfs Image === | === Update initramfs Image === | ||
Armed with the settings for Two Form authentication to unlock your system update the initramfs image to contain the new changes. | Armed with the settings for Two Form authentication to unlock your system update the initramfs image to contain the new changes. | ||
<pre><nowiki> | <pre><nowiki> | ||
update-initramfs -u ALL | update-initramfs -u ALL | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Close USB cryptKey === | === Close USB cryptKey === | ||
<pre><nowiki> | <pre><nowiki> | ||
cd / | cd / | ||
usbcryptkey /dev/cryptKey | usbcryptkey /dev/cryptKey | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Reboot === | === Reboot === | ||
<pre><nowiki> | <pre><nowiki> | ||
reboot | reboot | ||
</nowiki></pre> | </nowiki></pre> | ||
== Two Form Factor LUKS Whole Disk Encrypted Startup == | == Two Form Factor LUKS Whole Disk Encrypted Startup == | ||
Until you ''remove the initial Slot0 key'' on `/dev/sda3` you can still startup ''WITHOUT'' the USB cryptKey. So, if you have problems with the USB cryptKey initial setup, you can discontinue the cryptkeyscript and be prompted for the `/dev/sda3` Slot0 passphrase. | Until you ''remove the initial Slot0 key'' on `/dev/sda3` you can still startup ''WITHOUT'' the USB cryptKey. So, if you have problems with the USB cryptKey initial setup, you can discontinue the cryptkeyscript and be prompted for the `/dev/sda3` Slot0 passphrase. | ||
=== Insert Encrypted USB Flash Drive === | === Insert Encrypted USB Flash Drive === | ||
1. Insert your USB cryptKey. ''Note:'' Depending on your system you may need to wait until after the `Setting up cryptograpic volume cryptVault (based on /dev/sd#)` because the USB device may be identified and assigned `/dev/sda` before the harddrive is identified accurately. | 1. Insert your USB cryptKey. ''Note:'' Depending on your system you may need to wait until after the `Setting up cryptograpic volume cryptVault (based on /dev/sd#)` because the USB device may be identified and assigned `/dev/sda` before the harddrive is identified accurately. | ||
2. If cryptKey found then you'll be prompted for the `USB CryptKey ==>` passphrase to unlock the USB cryptKey. | 2. If cryptKey found then you'll be prompted for the `USB CryptKey ==>` passphrase to unlock the USB cryptKey. | ||
3. If the USB cryptKey is opened successfully the cryptroot script based on the twoform setting in `/ect/crypttab` will fetch the requested key and procceed to unlock `/dev/sda3` with the random generated key. | 3. If the USB cryptKey is opened successfully the cryptroot script based on the twoform setting in `/ect/crypttab` will fetch the requested key and procceed to unlock `/dev/sda3` with the random generated key. | ||
4. If you fail to open the USB cryptKey for any reason you can discontinue the cryptkeyscript and be prompted for the /dev/sda3 Slot0 passphrase. Login, make your changes, `update-initramfs -u ALL` and retry. | 4. If you fail to open the USB cryptKey for any reason you can discontinue the cryptkeyscript and be prompted for the /dev/sda3 Slot0 passphrase. Login, make your changes, `update-initramfs -u ALL` and retry. | ||
== Setup Encrypted Swap == | == Setup Encrypted Swap == | ||
Now setup the encrypted SWAP which will replace `/dev/sda2`. '''Caution:''' Once you convert the temporary root `/dev/sda2` to `swap` you won't be able to make use of the un-encrypted volume for setup work and changes to the encrypted volumes. It'll mean you start from scratch if things go haywire. | Now setup the encrypted SWAP which will replace `/dev/sda2`. '''Caution:''' Once you convert the temporary root `/dev/sda2` to `swap` you won't be able to make use of the un-encrypted volume for setup work and changes to the encrypted volumes. It'll mean you start from scratch if things go haywire. | ||
=== Edit /etc/crypttab === | === Edit /etc/crypttab === | ||
<pre><nowiki> | <pre><nowiki> | ||
echo cryptSwap /dev/sda2 /dev/random swap >> /etc/crypttab | echo cryptSwap /dev/sda2 /dev/random swap >> /etc/crypttab | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Edit /etc/fstab === | === Edit /etc/fstab === | ||
Add `/dev/mapper/cryptSwap none swap sw 0 0` | Add `/dev/mapper/cryptSwap none swap sw 0 0` | ||
<pre><nowiki> | <pre><nowiki> | ||
# /etc/fstab: static file system information. | # /etc/fstab: static file system information. | ||
第735行: | 第546行: | ||
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0 | /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0 | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Update initramfs Image === | === Update initramfs Image === | ||
<pre><nowiki> | <pre><nowiki> | ||
update-initramfs -u ALL | update-initramfs -u ALL | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Radomize SWAP /dev/sda2 === | === Radomize SWAP /dev/sda2 === | ||
There goes the un-encrypted installation... Again, this will take about 15-30 minutes depending on the size of sda2. | There goes the un-encrypted installation... Again, this will take about 15-30 minutes depending on the size of sda2. | ||
<pre><nowiki> | <pre><nowiki> | ||
dd if=/dev/urandom of=/dev/sda2 | dd if=/dev/urandom of=/dev/sda2 | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Reboot and Confirm Swap === | === Reboot and Confirm Swap === | ||
You'll unlock everything again on reboot. | You'll unlock everything again on reboot. | ||
<pre><nowiki> | <pre><nowiki> | ||
reboot | reboot | ||
</nowiki></pre> | </nowiki></pre> | ||
You should see cryptSwap is active. If not go back to `/etc/fstab` or `/etc/crypttab`. | You should see cryptSwap is active. If not go back to `/etc/fstab` or `/etc/crypttab`. | ||
<pre><nowiki> | <pre><nowiki> | ||
cat /proc/swaps | cat /proc/swaps | ||
</nowiki></pre> | </nowiki></pre> | ||
== FINALIZE with True Two Form Factor == | == FINALIZE with True Two Form Factor == | ||
If satisfied with the startup using the USB Crypt``Key remove the passphrase that was initially used for `/dev/sda3` on Slot0. | If satisfied with the startup using the USB Crypt``Key remove the passphrase that was initially used for `/dev/sda3` on Slot0. | ||
If you remove the initial passphrase from Slot0 and rely on the random generated key stored on the USB Crypt``Key this affords some small plausable deniability. | If you remove the initial passphrase from Slot0 and rely on the random generated key stored on the USB Crypt``Key this affords some small plausable deniability. | ||
Once your remove the slot0 key form `/dev/sda3` the ''ONLY'' key which will unlock the luks device is the 256bit random keyfile located on the USB Crypt``Key device! | Once your remove the slot0 key form `/dev/sda3` the ''ONLY'' key which will unlock the luks device is the 256bit random keyfile located on the USB Crypt``Key device! | ||
You can add a passphrase back if you need/want to later but that somewhat defeats the whole purpose. | You can add a passphrase back if you need/want to later but that somewhat defeats the whole purpose. | ||
=== Mount USB cryptKey and Remove /dev/sda3 Slot0 Key === | === Mount USB cryptKey and Remove /dev/sda3 Slot0 Key === | ||
'''BE CONFIDENT THAT THE SYSTEM BOOTS FROM THE USB CRYPTKEY DEVICE BEFORE PROCEEDING!!''' | '''BE CONFIDENT THAT THE SYSTEM BOOTS FROM THE USB CRYPTKEY DEVICE BEFORE PROCEEDING!!''' | ||
With the USB Crypt``Key still inserted proceed with the Slot0 removal from `/dev/sda3`. After login... | With the USB Crypt``Key still inserted proceed with the Slot0 removal from `/dev/sda3`. After login... | ||
<pre><nowiki> | <pre><nowiki> | ||
usbcryptkey /dev/cryptKey | usbcryptkey /dev/cryptKey | ||
cryptsetup --key-file=/mnt/cryptkeys/#PATH#FILENAME.luks luksDelKey /dev/sda3 0 | cryptsetup --key-file=/mnt/cryptkeys/#PATH#FILENAME.luks luksDelKey /dev/sda3 0 | ||
</nowiki></pre> | </nowiki></pre> | ||
If command successfull then you can unmount the cryptKey. | If command successfull then you can unmount the cryptKey. | ||
<pre><nowiki> | <pre><nowiki> | ||
usbcryptkey /dev/cryptKey | usbcryptkey /dev/cryptKey | ||
</nowiki></pre> | </nowiki></pre> | ||
--------------------- | --------------------- | ||
== Optional == | == Optional == | ||
=== Install Ubuntu Desktop === | === Install Ubuntu Desktop === | ||
It is really quite painless and effective. I'm quite impressed! Enjoy the eye-candy! | It is really quite painless and effective. I'm quite impressed! Enjoy the eye-candy! | ||
<pre><nowiki> | <pre><nowiki> | ||
apt-get install ubuntu-desktop | apt-get install ubuntu-desktop | ||
</nowiki></pre> | </nowiki></pre> | ||
== Two Form Options == | == Two Form Options == | ||
In a more general sense with the twoform option set and the keyscript option referencing any funky script you want to return an available key-file to cryptsetup. The local-top/cryptroot script is expecting it at /mnt/cryptkeys i.e., twoform=/dir1/dir2/keyfile should be placed/linked/mounted into /mnt/cryptkeys with your keyscript | In a more general sense with the twoform option set and the keyscript option referencing any funky script you want to return an available key-file to cryptsetup. The local-top/cryptroot script is expecting it at /mnt/cryptkeys i.e., twoform=/dir1/dir2/keyfile should be placed/linked/mounted into /mnt/cryptkeys with your keyscript | ||
== Key Manipulations == | == Key Manipulations == | ||
The cryptroot changes don't do any memory moves of the key-file. It is just fed as the key-file parameter to cryptsetup. | The cryptroot changes don't do any memory moves of the key-file. It is just fed as the key-file parameter to cryptsetup. | ||
== Potential Security Vulnerabilities/Vectors == | == Potential Security Vulnerabilities/Vectors == | ||
1. Unencrypted boot on the host. With boot volume on the host kernel updates are convenient. However, without physical security of the host the initramfs image is vulnerable. That image contains the crypttab file entries exposing the cryptKey device name, the specified key-file and the keyscript file you are using. i.e.,usbcryptkey Unless you take measures to check the boot initramfs image for un-authorized changes an interloper may alter the initramfs boot image and insert code that may intercept and redirect any accessible keys/files. | 1. Unencrypted boot on the host. With boot volume on the host kernel updates are convenient. However, without physical security of the host the initramfs image is vulnerable. That image contains the crypttab file entries exposing the cryptKey device name, the specified key-file and the keyscript file you are using. i.e.,usbcryptkey Unless you take measures to check the boot initramfs image for un-authorized changes an interloper may alter the initramfs boot image and insert code that may intercept and redirect any accessible keys/files. | ||
2. Backup keys. (DON'T store your keys unencrypted.) | 2. Backup keys. (DON'T store your keys unencrypted.) | ||
3. '''Caution:''' `urandom` is not as good as `random` but will cut the time significantly. | 3. '''Caution:''' `urandom` is not as good as `random` but will cut the time significantly. | ||
4. Increased probability of multiple system compromises with a single USB device containing multiple system keys. | 4. Increased probability of multiple system compromises with a single USB device containing multiple system keys. | ||
=== Possible Solutions === | === Possible Solutions === | ||
1. Boot volume on the same usb flash drive with the keys. This would require some changes to scripts and such.. (Perhaps the 'strongest' protection to the problem. The 'keys' are more likely to stay in your possession. | 1. Boot volume on the same usb flash drive with the keys. This would require some changes to scripts and such.. (Perhaps the 'strongest' protection to the problem. The 'keys' are more likely to stay in your possession. | ||
A hash checksum of the boot kernel and image presented before cryptkey mounting. (Weak - adulterated initramfs image could report original numbers - fake out) It still might be advisable to checksum the /boot after /root mounted. Maybe an unnspecified script to report on the checksum and compare to the previous startup values. Brake booting if different for confirmation of changes. (thinking that the unidentified script would be outside of the initramfs ability to affect...) | A hash checksum of the boot kernel and image presented before cryptkey mounting. (Weak - adulterated initramfs image could report original numbers - fake out) It still might be advisable to checksum the /boot after /root mounted. Maybe an unnspecified script to report on the checksum and compare to the previous startup values. Brake booting if different for confirmation of changes. (thinking that the unidentified script would be outside of the initramfs ability to affect...) | ||
Encrypted /boot with GRUB able to prompt for passphrases to unlock the LUKS partitions. (Weak? - Now we have to trust GRUB hasn't been attacked. It is integral and bound to the hardrive partitions.) Could GRUB be loaded on a USB device? | Encrypted /boot with GRUB able to prompt for passphrases to unlock the LUKS partitions. (Weak? - Now we have to trust GRUB hasn't been attacked. It is integral and bound to the hardrive partitions.) Could GRUB be loaded on a USB device? | ||
2. Don't backup the random keys. Or back them up encrypted somewhere else. (But, backup keys could compromise plausible deniability if discovery of such media/medium exists.) | 2. Don't backup the random keys. Or back them up encrypted somewhere else. (But, backup keys could compromise plausible deniability if discovery of such media/medium exists.) | ||
3. Use 'random' when you can afford the painfull time penalty for encryption. | 3. Use 'random' when you can afford the painfull time penalty for encryption. | ||
4. Place the random system keys on individual encrypted USB devices thereby spreading the risks. However, the caveat being increased administration. | 4. Place the random system keys on individual encrypted USB devices thereby spreading the risks. However, the caveat being increased administration. | ||
== Creative Commons License == | == Creative Commons License == | ||
Author: James B. Crocker | Author: James B. Crocker | ||
EMail: [email protected] | EMail: [email protected] | ||
[http://i.creativecommons.org/l/by-sa/3.0/88x31.png] | [http://i.creativecommons.org/l/by-sa/3.0/88x31.png] | ||
This work is licensed under a [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-Share Alike 3.0 License]. | This work is licensed under a [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-Share Alike 3.0 License]. | ||
---- | ---- | ||
[[category:CategorySecurity]] [[category:CategoryDocumentation]] | [[category:CategorySecurity]] [[category:CategoryDocumentation]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2007年11月30日 (五) 17:12的版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/FeistyLUKSTwoFormFactor }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/af | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Afrikaans| [[::FeistyLUKSTwoFormFactor/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ar | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|العربية| [[::FeistyLUKSTwoFormFactor/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/az | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|azərbaycanca| [[::FeistyLUKSTwoFormFactor/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/bcc | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|جهلسری بلوچی| [[::FeistyLUKSTwoFormFactor/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/bg | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|български| [[::FeistyLUKSTwoFormFactor/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/br | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|brezhoneg| [[::FeistyLUKSTwoFormFactor/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ca | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|català| [[::FeistyLUKSTwoFormFactor/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/cs | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|čeština| [[::FeistyLUKSTwoFormFactor/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/de | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Deutsch| [[::FeistyLUKSTwoFormFactor/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/el | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Ελληνικά| [[::FeistyLUKSTwoFormFactor/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/es | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|español| [[::FeistyLUKSTwoFormFactor/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/fa | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|فارسی| [[::FeistyLUKSTwoFormFactor/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/fi | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|suomi| [[::FeistyLUKSTwoFormFactor/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/fr | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|français| [[::FeistyLUKSTwoFormFactor/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/gu | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|ગુજરાતી| [[::FeistyLUKSTwoFormFactor/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/he | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|עברית| [[::FeistyLUKSTwoFormFactor/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/hu | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|magyar| [[::FeistyLUKSTwoFormFactor/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/id | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Bahasa Indonesia| [[::FeistyLUKSTwoFormFactor/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/it | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|italiano| [[::FeistyLUKSTwoFormFactor/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ja | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|日本語| [[::FeistyLUKSTwoFormFactor/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ko | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|한국어| [[::FeistyLUKSTwoFormFactor/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ksh | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Ripoarisch| [[::FeistyLUKSTwoFormFactor/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/mr | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|मराठी| [[::FeistyLUKSTwoFormFactor/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ms | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Bahasa Melayu| [[::FeistyLUKSTwoFormFactor/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/nl | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Nederlands| [[::FeistyLUKSTwoFormFactor/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/no | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|norsk| [[::FeistyLUKSTwoFormFactor/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/oc | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|occitan| [[::FeistyLUKSTwoFormFactor/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/pl | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|polski| [[::FeistyLUKSTwoFormFactor/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/pt | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|português| [[::FeistyLUKSTwoFormFactor/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ro | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|română| [[::FeistyLUKSTwoFormFactor/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ru | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|русский| [[::FeistyLUKSTwoFormFactor/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/si | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|සිංහල| [[::FeistyLUKSTwoFormFactor/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/sq | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|shqip| [[::FeistyLUKSTwoFormFactor/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/sr | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|српски / srpski| [[::FeistyLUKSTwoFormFactor/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/sv | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|svenska| [[::FeistyLUKSTwoFormFactor/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/th | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|ไทย| [[::FeistyLUKSTwoFormFactor/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/tr | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Türkçe| [[::FeistyLUKSTwoFormFactor/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/vi | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Tiếng Việt| [[::FeistyLUKSTwoFormFactor/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/yue | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|粵語| [[::FeistyLUKSTwoFormFactor/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/zh | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|中文| [[::FeistyLUKSTwoFormFactor/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/zh-hans | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|中文(简体)| [[::FeistyLUKSTwoFormFactor/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/zh-hant | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|中文(繁體)| [[::FeistyLUKSTwoFormFactor/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:FeistyLUKSTwoFormFactor|:FeistyLUKSTwoFormFactor|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :FeistyLUKSTwoFormFactor/zh | | {{#ifexist: FeistyLUKSTwoFormFactor/zh | | {{#ifeq: {{#titleparts:FeistyLUKSTwoFormFactor|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:FeistyLUKSTwoFormFactor|1|-1|}} | zh | | }}
Two Form Factor Authentication and LUKS Whole Disk Encryption with Feisty Fawn 7.04
Skill: High Complexity: High estTimeToComplete: 3.5 hours (ex. radomizing disks) Two Form Factor authentication in general relies on something you have and something you know. I'll detail a means of creating an encrypted USB flash drive that will then contain the keys for unlocking and booting your systems. The encrypted USB flash drive containing the system keys will be what you have and the passphrase to unlock the encrypted USB flash drive to retrieve the system keys will be what you know. Feisty Fawn 7.04 (Server,Desktop,Alternative) do not offer first time installation to an encrypted volume. There are alternative methods available to install Feisty Fawn onto an encrypted whole disk system. The cryptsetup scripts are capable of utilizing a non-encrypted USB flash drive. However, they are not coded yet to handle twoform authentication which requires additional user prompting. This 'howto' details creating an encrypted USB flash drive, installing Feisty Fawn onto an encrypted whole disk system and finally configuring the two form factor authentication for the system startup using the encrypted USB flash drive.
Consider these excellent documents for related encryption information and methods. | FullSearch(cryptsetup) |
Install Feisty Fawn 7.04 SERVER on Temporary Partition
Even if you intend to use Feisty Fawn as a 'desktop' system, installing the server version first reduces installation times, minimizes the disk consumed and avoids the initial clutter of a gui desktop for the encrypted setup. There is an included optional step towards the very end which will install the ubuntu-desktop. The boot volume /boot must be unecrypted as grub can't handle decrypting a boot partition. So, create 3 primary partitions. Use the /dev/sda2 partition as the tempoary unencrypted root / volume to begin. /dev/sda2 will later be used for the encrypted swap partition. So, size /dev/sda2 to accomodate the minimum server installation ~600MB and the maximum of what you want set for swap. (Rule of thumb 1.5 to 2 times physical RAM). Pre-Encrypt Partitions:
/dev/sda1 255M ext3 primary /boot /dev/sda2 2048M ext3 primary / /dev/sda3 AllRemaingSpace primary unused
Note: You will be root for all commands. i.e., $ sudo -i after each login.
Install Base
There is a wealth of documentation for installing Ubuntu Feisty Fawn 7.04 Server. Please refer to those documents if neccessary.
Update, Install Cryptsetup and LVM2, Upgrade
With the base installation completed login and update the package listing. Install cryptsetup and lvm2 for creating and managing the LUKS whole disk encryption.
Setup APT
Uncomment the deb resources for multiverse and universe.
vi /etc/apt/sources.list
Update and Reboot
apt-get update apt-get install cryptsetup lvm2 patchutils apt-get upgrade reboot
Creating Encrypeted USB Flash Drive
Create UDEV Mapping
Each computer system will report and mount your USB flash drive differently. e.g., /dev/sda or /dev/sdb To avoid constant changes in the cryptsetup's initramfs scripts which rely on the the USB flash drive create a common device name for your USB flash drive on each system you intend to lock.
Find USB Flash Drive Serial ID
Insert the USB flash drive you will be using. The USB will trigger a udev scan and will report the deivce name to the console. e.g., /dev/sdb. Armed with the device retrieve the device information and look for your USB flash drive manufacturer and associated serial number.
udevinfo -a -p $(udevinfo -q path -n /dev/sdb) ... ATTRS{serial}=="#######################" ATTRS{product}=="SUPERFLY" ATTRS{manufacturer}=="LEXAR" ...
Add USB Flash Drive Serial ID to UDEV Rules
Add the USB flash drive serial id and the common name to `/etc/udev/rules.d/65-persistent-storage.rules` and rescan the devices. The modified cryptsetup scripts use `/dev/cryptKey`. If you change the naming you'll need to modify those scripts.
vi /etc/udev/rules.d/65-persistent-storage.rules
Insert the following somewhere before the end label `LABEL="persistent_storage_end"`.
KERNEL=="sd*|sr*|st*", ATTRS{serial}=="######################"", SYMLINK+="cryptKey%n"
Trigger and look for the common name device for your USB flash drive.
udevtrigger ls /dev/cryptKey
The list command should have successfully returned `/dev/cryptKey`. Do not continue until this is correct.
Create LUKS Partition with EXT2 Filesystem
modprobe dm_crypt cryptsetup luksFormat --hash=sha512 --cipher=aes-cbc-essiv:sha256 --key-size=256 /dev/cryptKey cryptsetup luksOpen /dev/cryptKey cryptkeys mkfs.ext2 /dev/mapper/cryptkeys mkdir /mnt/cryptkeys mount -t ext2 /dev/mapper/cryptkeys /mnt/cryptkeys
Generate Random Machine Key
Create a random key that will eventually be used to lock/unlock this system and store it on the opened and mounted encrypted USB flash drive. Replace #FILENAME with the name of your choosing. It will be used in later system configurations.
cd /mnt/cryptkeys dd if=/dev/random of=#FILENAME.luks bs=1 count=256
Install usbcryptkey Script
`usbcryptkey` will ease the mounting/unmounting of the LUKS encrypted USB flash drive. It will be called during the `initramfs/local-top/cryptroot` call at startup.
vi /bin/usbcryptkey
#!/bin/sh # CryptKey value sent from cryptroot # Contains the devicename # LUKS Options # Could pull from cryptroot but this allows for the 'USB Key' to be setup # differently than the crypt volumes it is unlocking. LUKS_OPTS="--readonly --cipher=aes-cbc-essiv:sha256 --hash=sha512 --key-size=256" # Get the device name DEVNAME=$1 # Likely not needed if called from cryptroot correctly # but it doesn't hurt. modprobe -q dm_crypt mount_usbcryptkey () { # Wait for the USB Device # PREREQ udev for cryptroot # If the USB Device hasn't been created wait a bit. count=0 while [ $count -lt 3 ]; do count=$(( $count + 1 )) if [ ! -e $DEVNAME ]; then sleep 5 else break fi done # Check device is LUKS format cryptsetup isLuks $DEVNAME if [ $? -ne 0 ]; then echo "CryptKey device $DEVNAME is not LUKS formated!" exit 1 fi # Open the USB key count=0 openstat=0 while [ $count -lt 3 ]; do count=$(( $count + 1 )) if [ ! -e /dev/mapper/theKeys ]; then echo -n "USB CryptKey ==> " cryptsetup luksOpen $DEVNAME theKeys < /dev/console openstat=$? else break fi done # If it didn't open don't try anything else. if [ $openstat -ne 0 ]; then exit $openstat fi # Mount the opened USB if [ ! -d /mnt/cryptkeys ]; then mkdir -p -m 0700 /mnt/cryptkeys > /dev/null 2>&1 fi count=0 while [ $count -lt 3 ]; do count=$(( $count + 1 )) if [ ! -e /dev/mapper/theKeys ]; then sleep 5 else mount -n -r -t ext2 /dev/mapper/theKeys /mnt/cryptkeys > /dev/null 2>&1 break fi done } umount_usbcryptkey () { # Unmount and close the USB Keys umount /mnt/cryptkeys > /dev/null 2>&1 cryptsetup luksClose theKeys > /dev/null 2>&1 } # Begin work... # If the device is mounted UNMOUNT it. # If the device is not mounted MOUNT it. if [ -z $1 ]; then echo "No device specified!" echo "usbcryptkey DEVNAME" exit 1; fi if [ -r /dev/mapper/theKeys ]; then umount_usbcryptkey exit 0; else mount_usbcryptkey exit 0; fi
Now make the file executable.
chmod 750 /bin/usbcryptkey
Modify Cryptsetup Scripts
You should have a bootable, stable server installation and and encrypted USB flash drive completed. The Feisty Fawn 7.04 cryptsetup scripts do not contain enough code to address an interactive two form factor authentication. A set of scripts must be modified.
Copy the diff into a temporary patch file and apply.
vi /tmp/patch1
--- cryptroot.orig 2007-04-14 17:52:22.000000000 -0500 +++ cryptroot 2007-07-03 18:32:16.000000000 -0500 @@ -156,6 +156,7 @@ extraopts="$2" KEYSCRIPT="" OPTIONS="" + TWOFORM=0 if [ -z "$target" ]; then echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2 @@ -223,6 +224,10 @@ opt=$(basename "$opt") OPTIONS="$OPTIONS,keyscript=/keyscripts/$opt" ;; + twoform=*) + OPTIONS="$OPTIONS,$opt" + TWOFORM=1 + ;; *) # Presumably a non-supported option ;; @@ -234,6 +239,14 @@ echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2 return 1 fi + + # If twoform set then it depends on "key" and KEYSCRIPT + if [ $TWOFORM -eq 1 ]; then + if [ "$key" = "none" ] || [ -z "$KEYSCRIPT" ]; then + echo "cryptsetup: WARNING: target $target uses twoform and depends on key and keyscript, skipped" >&2 + return 1 + fi + fi } get_device_modules() {
patch -b -l /usr/share/initramfs-tools/hooks/cryptroot < /tmp/patch1
Copy the diff into a temporary patch file and apply. vgchange doesn't exist in the initramfs so but lvm does.
vi /tmp/patch2
--- cryptroot.orig 2007-04-14 17:52:22.000000000 -0500 +++ cryptroot 2007-07-03 18:33:33.000000000 -0500 @@ -43,6 +43,7 @@ cryptlvm="" cryptkeyscript="" cryptkey="" # This is only used as an argument to an eventual keyscript + crypttwoform="" # TwoForm factor local IFS=" ," for x in $cryptopts; do @@ -68,6 +69,9 @@ keyscript=*) cryptkeyscript=${x#keyscript=} ;; + twoform=*) + crypttwoform=${x#twoform=} + ;; key=*) if [ "${x#key=}" != "none" ]; then cryptkey=${x#key=} @@ -89,7 +93,7 @@ vg="${1#/dev/mapper/}" # Sanity checks - if [ ! -x /sbin/vgchange ] || [ "$vg" = "$1" ]; then + if [ ! -x /sbin/lvm ] || [ "$vg" = "$1" ]; then return 1 fi @@ -104,7 +108,7 @@ # Reduce padded --'s to -'s vg=$(echo ${vg} | sed -e 's#--#-#g') - vgchange -ay ${vg} + lvm vgchange -ay ${vg} return $? } @@ -189,6 +193,7 @@ # Try to get a satisfactory password three times count=0 + ckscon=y while [ $count -lt 3 ]; do count=$(( $count + 1 )) @@ -200,23 +205,38 @@ sleep 2 fi - if [ -n "$cryptkeyscript" ]; then + if [ -n "$cryptkeyscript" ] && [ "$ckscon" = "y" ]; then if [ ! -x "$cryptkeyscript" ]; then echo "cryptsetup: error - $cryptkeyscript missing" return 1 fi - $cryptkeyscript $cryptkey < /dev/console | $cryptcreate --key-file=- + + if [ -z $crypttwoform ]; then + $cryptkeyscript $cryptkey < /dev/console | $cryptcreate --key-file=- + else + $cryptkeyscript $cryptkey < /dev/console + $cryptcreate --key-file=/mnt/cryptkeys$crypttwoform + fi else $cryptcreate < /dev/console fi if [ $? -ne 0 ]; then echo "cryptsetup: cryptsetup failed, bad password or options?" + if [ -n "$cryptkeyscript" ]; then + echo -n "Continue using the cryptkeyscript? [y/n]: " + read ckscon < /dev/console + fi + sleep 3 continue elif [ ! -e "$NEWROOT" ]; then echo "cryptsetup: unknown error setting up device mapping" return 1 + elif [ -n $crypttwoform ] && [ -n $cryptkeyscript ] && [ -e $cryptkey ]; then + # The keyscript was called at least once so call the + # keyscript again to unmount the usb cryptkey device. + $cryptkeyscript $cryptkey fi FSTYPE=''
patch -b -l /usr/share/initramfs-tools/scripts/local-top/cryptroot < /tmp/patch2
There is a quirk whereby the lvm-on-luks mappings are overwritten with the `/dev` filesystem is remounted for read write. We need `mapper` for the lvm mounts to funtion on boot.
vi /tmp/patch3
--- udev.orig 2007-04-10 09:03:36.000000000 -0500 +++ udev 2007-07-03 18:13:46.000000000 -0500 @@ -27,5 +27,5 @@ # Move the real filesystem's /dev to beneath our tmpfs, then move it all # to the real filesystem mkdir -m 0700 -p /dev/.static/dev -mount -n -o bind ${rootmnt}/dev /dev/.static/dev +mount -n -o bind /dev/.static/dev ${rootmnt}/dev mount -n -o move /dev ${rootmnt}/dev
patch -b -l /usr/share/initramfs-tools/scripts/init-bottom/udev < /tmp/patch3
After patching, if backups were created, remove them so as not to 'corrupt' the initramfs build.
rm /usr/share/initramfs-tools/scripts/local-top/cryptroot.orig rm /usr/share/initramfs-tools/hooks/cryptroot.orig rm /usr/share/initramfs-tools/scripts/init-bottom/udev.orig
Create LUKS/LVM Volumes on Unused Partition
Randomize the Unused Partition
To obscure use of the volume randomize the partition befor using it. Caution: `urandom` is not as good as `random` but will cut the time significantly. Note: This will take a considerable amount of time and is proporational to the volume size. e.g., Radomizing 1.5TB ~2Days.
dd if=/dev/urandom of=/dev/sda3
Go find something fun to do outside!
Create and Open LUKS Device
Note: I've used the largest cipher and hash available as well as key-size. The defaults are smaller.
cryptsetup luksFormat --hash=sha512 --cipher=aes-cbc-essiv:sha256 --key-size=256 /dev/sda3
Edit the crypttab. The lvm option triggers the lvm on luks during startup. This will setup the LUKS whole disk encryption with an initial passphrase. Once this works the Two Form Factor configuration follows.
echo cryptVault /dev/sda3 none luks,cipher=aes-cbc-essiv:sha256,hash=sha512,lvm=vg00-lvroot >> /etc/crypttab
Open the LUKS partition.
cryptsetup luksOpen /dev/sda3 cryptVault
Setup LVM Data Partitions
Season to taste. The volume sizes will be relevant to your system design goals. Note: When later converting to ubuntu-desktop apt required more space in /var then I had originally allocated. And rather than re-configure apt to use a different cache I just resized /var to +1024MB. The `lvsnap` volume is for creating snapshot volumes for backup purposes. It will not be referenced again in this document. It is there as a reminder to allocate for it before you slice and dice all avialable disk space. [todo: create communityDoc for BackupWithLVMSnaphot] Note: The lvm volumes MUST be of the form `/dev/mapper/vg##-name`. The cryptroot script relies on this naming convention to determine whether or not a volume is LVM and to select the volume group name to activate.
pvcreate /dev/mapper/cryptVault vgcreate vg00 /dev/mapper/cryptVault vgchange -a y vg00 lvcreate -L70G -nlvroot vg00 lvcreate -L512M -nlvtmp vg00 lvcreate -L2048M -nlvvar vg00 lvcreate -L512M -nlvhome vg00 lvcreate -L512M -nlvsnap vg00
Tip: If you will be allocating the remaining free extents to a volume do pvdisplay and find the Free PE and use that value in `ĺvcreate -l### -n#SOMEPART`
Apply Filesystems to the Partitions
mkfs.ext3 /dev/vg00/lvroot mkfs.ext2 /dev/vg00/lvtmp mkfs.ext3 /dev/vg00/lvvar mkfs.ext3 /dev/vg00/lvhome mkfs.ext3 /dev/vg00/lvsnap
Migrate Temporary Installation to Encrypted Volumes
Make Mount Points and Mount LUKS Encrypted LVM Volumes
mkdir /tmp/croot mount /dev/vg00/lvroot /tmp/croot mkdir /tmp/croot/tmp mkdir /tmp/croot/home mkdir /tmp/croot/var
Note: Due to an Ubuntu quirk `/var/run` and `/var/lock` must exist on the root filesystem during bootstrap/startup. Since we're splitting `/var` from the start we need to kludge for that behavior.
$ mkdir -m 0700 /tmp/croot/var/run $ mkdir -m 0700 /tmp/croot/var/lock
$ mount /dev/vg00/lvtmp /tmp/croot/tmp $ mount /dev/vg00/lvvar /tmp/croot/var $ mount /dev/vg00/lvhome /tmp/croot/home
Copy the Temporary Base Installation to the Encrypted Volumes
cp -ax / /tmp/croot
Mount Special Devices
Mount the following special devices so that when we `chroot` everything will work.
mount -t proc /proc /tmp/croot/proc mount -o bind /dev /tmp/croot/dev mount /dev/sda1 /tmp/croot/boot
Change ROOT
chroot /tmp/croot
Edit FSTAB
You should successfully be in the chroot environment and it will be nearly indistinguishable from the first. Don't get confused. Edit the fstab to reflect the desired filesystem layout. Season to taste. Note: The lvm volumes MUST be of the form `/dev/mapper/vg##-name`. The cryptroot script relies on this naming convention to determine whether or not a volume is LVM and to select the volume group name to activate. Also, your fstab configuration listing will likely be different then the one listed. Season to taste.
vi /etc/fstab
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> /dev/sda1 /boot ext3 defaults 0 2 /dev/mapper/vg00-lvroot / ext3 defaults 0 1 /dev/mapper/vg00-lvvar /var ext3 defaults 0 1 /dev/mapper/vg00-lvtmp /tmp ext2 defaults 0 1 /dev/mapper/vg00-lvhome /home ext3 defaults 0 1 proc /proc proc defaults 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0
Edit grub/menu.lst and update the kopt value. Also, do yourself a favor and just turn splash off. It is nice but for now just complicates the LUKS passphrase prompting on startup.
vi /boot/grub/menu.lst
# kopt=root=/dev/mapper/vg00-lvroot ro ... # defoptions=quiet
Update initramfs Image
It is vital to have the FSTAB and CRYPTROOT files properly edited. The initramfs scripts for setting up the crypt initrd rely on the settings in these files to generate the appropriate image.
update-initramfs -u ALL
Update GRUB Boot Menu
To get the correct and updated `menu.lst` stanza on the bootloader.
update-grub
Exit CHROOT
If satisfied with the system setup and crypt changes exit out of the chroot environment.
exit
Unmount the New Encrypted Volumes
cd / umount /tmp/croot/home umount /tmp/croot/tmp umount /tmp/croot/var umount /tmp/croot/boot umount /tmp/croot/proc umount /tmp/croot/dev umount /tmp/croot vgchange -a n vg00
Reboot
reboot
Single Form Factor LUKS Whole Disk Encrypted Startup
You'll be prompted for the passphrase you used to create the LUKS cryptsetup on `/dev/sda3`. If successfull the system should boot without errors. If you do encounter a problem: 1. Reboot 2. Pause grub w/ <ESC> and edit kernel stanza and change `/dev/mapper/vg00-lvroot` to `/dev/sda2` (Remember we haven't deleted the un-encrypted installation yet.) 3. Boot to `/dev/sda2` 4. Cryptsetup luksOpen `/dev/sda3` 5. Remount the filesystems (Refer to previous step: `Migrate Temporary Installation to Encrypted Volumes`.) 6. Skip the copy step 7. `chroot /tmp/croot` 8. Make your changes and try again
Setup Two Form Factor LUKS Whole Disk Encryption
If you've successfully booted into the single form factor LUKS encrypted whole disk installation then you can continue setting up the system with the USB cryptKey for Two Form Factor authentication.
Edit /etc/crypttab
Edit the `/etc/crypttab` file to reflect the items for Two Form authentication. Use the #FILENAME.luks from the random key step. Include a path if your encrypted USB flash drive filesystem has a directory structure that you are using to manage files. e.g., Under `/mnt/cryptkey/serverkeys` or `/mnt/cryptkey/laptopkey` etc. The #PATH is relative to the mount point. So, #PATH would be `serverkeys/#FILENAME.luks` or `laptopkey/#FILENAME.luks`
echo cryptVault /dev/sda3 /dev/cryptKey luks,cipher=aes-cbc-essiv:sha256,hash=sha512,lvm=vg00-lvroot,keyscript=/bin/usbcryptkey,twoform=/#PATH#FILENAME.luks >> /etc/crypttab
DELETE the original cryptValut entry which doesn't depend on the USB cryptKey
Open USB cryptKey
The `usbcryptkey` script should exist in `/bin`. If you have changed the location for `usbcryptkey` then you'll need to accomodate for that change in the `/etc/crypttab` file you just modified. If not currently mounted the script will prompt for the passphrase and mount the device.
usbcryptkey /dev/cryptKey
Add Random Generated Key
Add the new key file to the root `cryptVault`. This should add to Slot 1. When you add the key you'll be prompted for a passphrase. The passphrase is the one used when setting up `/dev/sda3` not the passphrase used for the USB cryptKey.
cryptsetup luksAddKey /dev/sda3 /mnt/cryptkeys/#PATH#FILENAME.luks
Update initramfs Image
Armed with the settings for Two Form authentication to unlock your system update the initramfs image to contain the new changes.
update-initramfs -u ALL
Close USB cryptKey
cd / usbcryptkey /dev/cryptKey
Reboot
reboot
Two Form Factor LUKS Whole Disk Encrypted Startup
Until you remove the initial Slot0 key on `/dev/sda3` you can still startup WITHOUT the USB cryptKey. So, if you have problems with the USB cryptKey initial setup, you can discontinue the cryptkeyscript and be prompted for the `/dev/sda3` Slot0 passphrase.
Insert Encrypted USB Flash Drive
1. Insert your USB cryptKey. Note: Depending on your system you may need to wait until after the `Setting up cryptograpic volume cryptVault (based on /dev/sd#)` because the USB device may be identified and assigned `/dev/sda` before the harddrive is identified accurately. 2. If cryptKey found then you'll be prompted for the `USB CryptKey ==>` passphrase to unlock the USB cryptKey. 3. If the USB cryptKey is opened successfully the cryptroot script based on the twoform setting in `/ect/crypttab` will fetch the requested key and procceed to unlock `/dev/sda3` with the random generated key. 4. If you fail to open the USB cryptKey for any reason you can discontinue the cryptkeyscript and be prompted for the /dev/sda3 Slot0 passphrase. Login, make your changes, `update-initramfs -u ALL` and retry.
Setup Encrypted Swap
Now setup the encrypted SWAP which will replace `/dev/sda2`. Caution: Once you convert the temporary root `/dev/sda2` to `swap` you won't be able to make use of the un-encrypted volume for setup work and changes to the encrypted volumes. It'll mean you start from scratch if things go haywire.
Edit /etc/crypttab
echo cryptSwap /dev/sda2 /dev/random swap >> /etc/crypttab
Edit /etc/fstab
Add `/dev/mapper/cryptSwap none swap sw 0 0`
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> # /dev/sda1 /dev/sda1 /boot ext3 defaults 0 2 /dev/mapper/cryptSwap none swap sw 0 0 /dev/mapper/vg00-lvroot / ext3 defaults 0 1 /dev/mapper/vg00-lvvar /var ext3 defaults 0 1 /dev/mapper/vg00-lvtmp /tmp ext2 defaults 0 1 /dev/mapper/vg00-lvhome /home ext3 defaults 0 1 proc /proc proc defaults 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0
Update initramfs Image
update-initramfs -u ALL
Radomize SWAP /dev/sda2
There goes the un-encrypted installation... Again, this will take about 15-30 minutes depending on the size of sda2.
dd if=/dev/urandom of=/dev/sda2
Reboot and Confirm Swap
You'll unlock everything again on reboot.
reboot
You should see cryptSwap is active. If not go back to `/etc/fstab` or `/etc/crypttab`.
cat /proc/swaps
FINALIZE with True Two Form Factor
If satisfied with the startup using the USB Crypt``Key remove the passphrase that was initially used for `/dev/sda3` on Slot0. If you remove the initial passphrase from Slot0 and rely on the random generated key stored on the USB Crypt``Key this affords some small plausable deniability. Once your remove the slot0 key form `/dev/sda3` the ONLY key which will unlock the luks device is the 256bit random keyfile located on the USB Crypt``Key device! You can add a passphrase back if you need/want to later but that somewhat defeats the whole purpose.
Mount USB cryptKey and Remove /dev/sda3 Slot0 Key
BE CONFIDENT THAT THE SYSTEM BOOTS FROM THE USB CRYPTKEY DEVICE BEFORE PROCEEDING!! With the USB Crypt``Key still inserted proceed with the Slot0 removal from `/dev/sda3`. After login...
usbcryptkey /dev/cryptKey cryptsetup --key-file=/mnt/cryptkeys/#PATH#FILENAME.luks luksDelKey /dev/sda3 0
If command successfull then you can unmount the cryptKey.
usbcryptkey /dev/cryptKey
Optional
Install Ubuntu Desktop
It is really quite painless and effective. I'm quite impressed! Enjoy the eye-candy!
apt-get install ubuntu-desktop
Two Form Options
In a more general sense with the twoform option set and the keyscript option referencing any funky script you want to return an available key-file to cryptsetup. The local-top/cryptroot script is expecting it at /mnt/cryptkeys i.e., twoform=/dir1/dir2/keyfile should be placed/linked/mounted into /mnt/cryptkeys with your keyscript
Key Manipulations
The cryptroot changes don't do any memory moves of the key-file. It is just fed as the key-file parameter to cryptsetup.
Potential Security Vulnerabilities/Vectors
1. Unencrypted boot on the host. With boot volume on the host kernel updates are convenient. However, without physical security of the host the initramfs image is vulnerable. That image contains the crypttab file entries exposing the cryptKey device name, the specified key-file and the keyscript file you are using. i.e.,usbcryptkey Unless you take measures to check the boot initramfs image for un-authorized changes an interloper may alter the initramfs boot image and insert code that may intercept and redirect any accessible keys/files. 2. Backup keys. (DON'T store your keys unencrypted.) 3. Caution: `urandom` is not as good as `random` but will cut the time significantly. 4. Increased probability of multiple system compromises with a single USB device containing multiple system keys.
Possible Solutions
1. Boot volume on the same usb flash drive with the keys. This would require some changes to scripts and such.. (Perhaps the 'strongest' protection to the problem. The 'keys' are more likely to stay in your possession. A hash checksum of the boot kernel and image presented before cryptkey mounting. (Weak - adulterated initramfs image could report original numbers - fake out) It still might be advisable to checksum the /boot after /root mounted. Maybe an unnspecified script to report on the checksum and compare to the previous startup values. Brake booting if different for confirmation of changes. (thinking that the unidentified script would be outside of the initramfs ability to affect...) Encrypted /boot with GRUB able to prompt for passphrases to unlock the LUKS partitions. (Weak? - Now we have to trust GRUB hasn't been attacked. It is integral and bound to the hardrive partitions.) Could GRUB be loaded on a USB device? 2. Don't backup the random keys. Or back them up encrypted somewhere else. (But, backup keys could compromise plausible deniability if discovery of such media/medium exists.) 3. Use 'random' when you can afford the painfull time penalty for encryption. 4. Place the random system keys on individual encrypted USB devices thereby spreading the risks. However, the caveat being increased administration.
Creative Commons License
Author: James B. Crocker EMail: [email protected] [1] This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.