特殊:Badtitle/NS100:FeistyLUKSTwoFormFactor

来自Ubuntu中文
Wikibot留言 | 贡献2008年10月19日 (日) 22:48的版本
跳到导航跳到搜索

{{#ifexist: :FeistyLUKSTwoFormFactor/zh | | {{#ifexist: FeistyLUKSTwoFormFactor/zh | | {{#ifeq: {{#titleparts:FeistyLUKSTwoFormFactor|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:FeistyLUKSTwoFormFactor|1|-1|}} | zh | | }}

Two Form Factor Authentication and LUKS Whole Disk Encryption with Feisty Fawn 7.04

Skill: High Complexity: High estTimeToComplete: 3.5 hours (ex. radomizing disks) Two Form Factor authentication in general relies on something you have and something you know. I'll detail a means of creating an encrypted USB flash drive that will then contain the keys for unlocking and booting your systems. The encrypted USB flash drive containing the system keys will be what you have and the passphrase to unlock the encrypted USB flash drive to retrieve the system keys will be what you know. Feisty Fawn 7.04 (Server,Desktop,Alternative) do not offer first time installation to an encrypted volume. There are alternative methods available to install Feisty Fawn onto an encrypted whole disk system. The cryptsetup scripts are capable of utilizing a non-encrypted USB flash drive. However, they are not coded yet to handle twoform authentication which requires additional user prompting. This 'howto' details creating an encrypted USB flash drive, installing Feisty Fawn onto an encrypted whole disk system and finally configuring the two form factor authentication for the system startup using the encrypted USB flash drive.

Consider these excellent documents for related encryption information and methods. >

Install Feisty Fawn 7.04 SERVER on Temporary Partition

Even if you intend to use Feisty Fawn as a 'desktop' system, installing the server version first reduces installation times, minimizes the disk consumed and avoids the initial clutter of a gui desktop for the encrypted setup. There is an included optional step towards the very end which will install the ubuntu-desktop. The boot volume /boot must be unecrypted as grub can't handle decrypting a boot partition. So, create 3 primary partitions. Use the /dev/sda2 partition as the tempoary unencrypted root / volume to begin. /dev/sda2 will later be used for the encrypted swap partition. So, size /dev/sda2 to accomodate the minimum server installation ~600MB and the maximum of what you want set for swap. (Rule of thumb 1.5 to 2 times physical RAM). Pre-Encrypt Partitions:

/dev/sda1 255M ext3 primary /boot
/dev/sda2 2048M ext3 primary /
/dev/sda3 AllRemaingSpace primary unused

Note: You will be root for all commands. i.e., $ sudo -i after each login.

Install Base

There is a wealth of documentation for installing Ubuntu Feisty Fawn 7.04 Server. Please refer to those documents if neccessary.

Update, Install Cryptsetup and LVM2, Upgrade

With the base installation completed login and update the package listing. Install cryptsetup and lvm2 for creating and managing the LUKS whole disk encryption.

Setup APT

Uncomment the deb resources for multiverse and universe.

vi /etc/apt/sources.list

Update and Reboot

apt-get update
apt-get install cryptsetup lvm2 patchutils
apt-get upgrade
reboot

Creating Encrypeted USB Flash Drive

Create UDEV Mapping

Each computer system will report and mount your USB flash drive differently. e.g., /dev/sda or /dev/sdb To avoid constant changes in the cryptsetup's initramfs scripts which rely on the the USB flash drive create a common device name for your USB flash drive on each system you intend to lock.

Find USB Flash Drive Serial ID

Insert the USB flash drive you will be using. The USB will trigger a udev scan and will report the deivce name to the console. e.g., /dev/sdb. Armed with the device retrieve the device information and look for your USB flash drive manufacturer and associated serial number.

udevinfo -a -p $(udevinfo -q path -n /dev/sdb)
...
    ATTRS{serial}=="#######################"
    ATTRS{product}=="SUPERFLY"
    ATTRS{manufacturer}=="LEXAR"
...

Add USB Flash Drive Serial ID to UDEV Rules

Add the USB flash drive serial id and the common name to `/etc/udev/rules.d/65-persistent-storage.rules` and rescan the devices. The modified cryptsetup scripts use `/dev/cryptKey`. If you change the naming you'll need to modify those scripts.

vi /etc/udev/rules.d/65-persistent-storage.rules

Insert the following somewhere before the end label `LABEL="persistent_storage_end"`.

KERNEL=="sd*|sr*|st*", ATTRS{serial}=="######################"", SYMLINK+="cryptKey%n"

Trigger and look for the common name device for your USB flash drive.

udevtrigger
ls /dev/cryptKey

The list command should have successfully returned `/dev/cryptKey`. Do not continue until this is correct.

Create LUKS Partition with EXT2 Filesystem

modprobe dm_crypt
cryptsetup luksFormat --hash=sha512 --cipher=aes-cbc-essiv:sha256 --key-size=256 /dev/cryptKey
cryptsetup luksOpen /dev/cryptKey cryptkeys
mkfs.ext2 /dev/mapper/cryptkeys
mkdir /mnt/cryptkeys
mount -t ext2 /dev/mapper/cryptkeys /mnt/cryptkeys

Generate Random Machine Key

Create a random key that will eventually be used to lock/unlock this system and store it on the opened and mounted encrypted USB flash drive. Replace #FILENAME with the name of your choosing. It will be used in later system configurations.

cd /mnt/cryptkeys
dd if=/dev/random of=#FILENAME.luks bs=1 count=256

Install usbcryptkey Script

`usbcryptkey` will ease the mounting/unmounting of the LUKS encrypted USB flash drive. It will be called during the `initramfs/local-top/cryptroot` call at startup.

vi /bin/usbcryptkey
#!/bin/sh

# CryptKey value sent from cryptroot
# Contains the devicename

# LUKS Options
# Could pull from cryptroot but this allows for the 'USB Key' to be setup
# differently than the crypt volumes it is unlocking.
LUKS_OPTS="--readonly --cipher=aes-cbc-essiv:sha256 --hash=sha512 --key-size=256"

# Get the device name
DEVNAME=$1

# Likely not needed if called from cryptroot correctly
# but it doesn't hurt.
modprobe -q dm_crypt

mount_usbcryptkey ()
{

	# Wait for the USB Device
	# PREREQ udev for cryptroot
	# If the USB Device hasn't been created wait a bit.
	count=0
	while [ $count -lt 3 ]; do
		count=$(( $count + 1 ))
		if [ ! -e $DEVNAME ]; then
			sleep 5
		else
			break
		fi
	done

	# Check device is LUKS format
	cryptsetup isLuks $DEVNAME
	if [ $? -ne 0 ]; then 
		echo "CryptKey device $DEVNAME is not LUKS formated!"
		exit 1
	fi

	# Open the USB key
	count=0
	openstat=0
	while [ $count -lt 3 ]; do
		count=$(( $count + 1 ))
		if [ ! -e /dev/mapper/theKeys ]; then
			echo -n "USB CryptKey ==> "
			cryptsetup luksOpen $DEVNAME theKeys < /dev/console
			openstat=$?
		else
			break
		fi
	done

	# If it didn't open don't try anything else.
	if [ $openstat -ne 0 ]; then
		exit $openstat
	fi

	# Mount the opened USB
	if [ ! -d /mnt/cryptkeys ]; then
		mkdir -p -m 0700 /mnt/cryptkeys > /dev/null 2>&1
	fi

	count=0
	while [ $count -lt 3 ]; do
		count=$(( $count + 1 ))
		if [ ! -e /dev/mapper/theKeys ]; then
			sleep 5
		else
			mount -n -r -t ext2 /dev/mapper/theKeys /mnt/cryptkeys > /dev/null 2>&1
			break
		fi
	done
}

umount_usbcryptkey ()
{
	# Unmount and close the USB Keys
	umount /mnt/cryptkeys > /dev/null 2>&1
	cryptsetup luksClose theKeys > /dev/null 2>&1

}

# Begin work...
# If the device is mounted UNMOUNT it.
# If the device is not mounted MOUNT it.

if [ -z $1 ]; then
        echo "No device specified!"
        echo "usbcryptkey DEVNAME"
        exit 1;
fi

if [ -r /dev/mapper/theKeys ]; then
	umount_usbcryptkey
	exit 0;
else
	mount_usbcryptkey
	exit 0;
fi

Now make the file executable.

chmod 750 /bin/usbcryptkey

Modify Cryptsetup Scripts

You should have a bootable, stable server installation and and encrypted USB flash drive completed. The Feisty Fawn 7.04 cryptsetup scripts do not contain enough code to address an interactive two form factor authentication. A set of scripts must be modified.

/usr/share/initramfs-tools/hooks/cryptroot

Copy the diff into a temporary patch file and apply.

vi /tmp/patch1
--- cryptroot.orig      2007-04-14 17:52:22.000000000 -0500
+++ cryptroot   2007-07-03 18:32:16.000000000 -0500
@@ -156,6 +156,7 @@
        extraopts="$2"
        KEYSCRIPT=""
        OPTIONS=""
+       TWOFORM=0
 
        if [ -z "$target" ]; then
                echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2
@@ -223,6 +224,10 @@
                                opt=$(basename "$opt")
                                OPTIONS="$OPTIONS,keyscript=/keyscripts/$opt"
                                ;;
+                       twoform=*)
+                               OPTIONS="$OPTIONS,$opt"
+                               TWOFORM=1
+                               ;;
                        *)
                                # Presumably a non-supported option
                                ;;
@@ -234,6 +239,14 @@
                echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2
                return 1
        fi
+
+       # If twoform set then it depends on "key" and KEYSCRIPT
+       if [ $TWOFORM -eq 1 ]; then
+               if [ "$key" = "none" ] || [ -z "$KEYSCRIPT" ]; then
+                       echo "cryptsetup: WARNING: target $target uses twoform and depends on key and keyscript, skipped" >&2
+                       return 1
+               fi
+       fi
 }
 
 get_device_modules() {
patch -b -l /usr/share/initramfs-tools/hooks/cryptroot < /tmp/patch1

/usr/share/initramfs-tools/scripts/local-top/cryptroot

Copy the diff into a temporary patch file and apply. vgchange doesn't exist in the initramfs so but lvm does.

vi /tmp/patch2
--- cryptroot.orig      2007-04-14 17:52:22.000000000 -0500
+++ cryptroot   2007-07-03 18:33:33.000000000 -0500
@@ -43,6 +43,7 @@
        cryptlvm=""
        cryptkeyscript=""
        cryptkey="" # This is only used as an argument to an eventual keyscript
+       crypttwoform="" # TwoForm factor
 
        local IFS=" ,"
        for x in $cryptopts; do
@@ -68,6 +69,9 @@
                keyscript=*)
                        cryptkeyscript=${x#keyscript=}
                        ;;
+               twoform=*)
+                       crypttwoform=${x#twoform=}
+                       ;;
                key=*)
                        if [ "${x#key=}" != "none" ]; then
                                cryptkey=${x#key=}
@@ -89,7 +93,7 @@
        vg="${1#/dev/mapper/}"
 
        # Sanity checks
-       if [ ! -x /sbin/vgchange ] || [ "$vg" = "$1" ]; then
+       if [ ! -x /sbin/lvm ] || [ "$vg" = "$1" ]; then
                return 1
        fi
 
@@ -104,7 +108,7 @@
        # Reduce padded --'s to -'s
        vg=$(echo ${vg} | sed -e 's#--#-#g')
 
-       vgchange -ay ${vg}
+       lvm vgchange -ay ${vg}
        return $?
 }
 
@@ -189,6 +193,7 @@
 
        # Try to get a satisfactory password three times
        count=0
+       ckscon=y
        while [ $count -lt 3 ]; do
                count=$(( $count + 1 ))
 
@@ -200,23 +205,38 @@
                    sleep 2
                fi
 
-               if [ -n "$cryptkeyscript" ]; then
+               if [ -n "$cryptkeyscript" ] && [ "$ckscon" = "y" ]; then
                        if [ ! -x "$cryptkeyscript" ]; then
                                echo "cryptsetup: error - $cryptkeyscript missing"
                                return 1
                        fi
-                       $cryptkeyscript $cryptkey < /dev/console | $cryptcreate --key-file=-
+
+                       if [ -z $crypttwoform ]; then
+                               $cryptkeyscript $cryptkey < /dev/console | $cryptcreate --key-file=-
+                       else
+                               $cryptkeyscript $cryptkey < /dev/console
+                               $cryptcreate --key-file=/mnt/cryptkeys$crypttwoform
+                       fi
                else
                        $cryptcreate < /dev/console
                fi
 
                if [ $? -ne 0 ]; then
                        echo "cryptsetup: cryptsetup failed, bad password or options?"
+                       if [ -n "$cryptkeyscript" ]; then
+                               echo -n "Continue using the cryptkeyscript? [y/n]: "
+                               read ckscon < /dev/console
+                       fi
+
                        sleep 3
                        continue
                elif [ ! -e "$NEWROOT" ]; then
                        echo "cryptsetup: unknown error setting up device mapping"
                        return 1
+               elif [ -n $crypttwoform ] && [ -n $cryptkeyscript ] && [ -e $cryptkey ]; then
+                       # The keyscript was called at least once so call the 
+                       # keyscript again to unmount the usb cryptkey device.
+                       $cryptkeyscript $cryptkey
                fi
 
                FSTYPE=''
patch -b -l /usr/share/initramfs-tools/scripts/local-top/cryptroot < /tmp/patch2

/usr/share/initramfs-tools/scripts/init-bottom/udev

There is a quirk whereby the lvm-on-luks mappings are overwritten with the `/dev` filesystem is remounted for read write. We need `mapper` for the lvm mounts to funtion on boot.

vi /tmp/patch3
--- udev.orig   2007-04-10 09:03:36.000000000 -0500
+++ udev        2007-07-03 18:13:46.000000000 -0500
@@ -27,5 +27,5 @@
 # Move the real filesystem's /dev to beneath our tmpfs, then move it all
 # to the real filesystem
 mkdir -m 0700 -p /dev/.static/dev
-mount -n -o bind ${rootmnt}/dev /dev/.static/dev
+mount -n -o bind /dev/.static/dev ${rootmnt}/dev
 mount -n -o move /dev ${rootmnt}/dev
patch -b -l /usr/share/initramfs-tools/scripts/init-bottom/udev < /tmp/patch3

After patching, if backups were created, remove them so as not to 'corrupt' the initramfs build.

rm /usr/share/initramfs-tools/scripts/local-top/cryptroot.orig
rm /usr/share/initramfs-tools/hooks/cryptroot.orig
rm /usr/share/initramfs-tools/scripts/init-bottom/udev.orig

Create LUKS/LVM Volumes on Unused Partition

Randomize the Unused Partition

To obscure use of the volume randomize the partition befor using it. Caution: `urandom` is not as good as `random` but will cut the time significantly. Note: This will take a considerable amount of time and is proporational to the volume size. e.g., Radomizing 1.5TB ~2Days.

dd if=/dev/urandom of=/dev/sda3

Go find something fun to do outside!

Create and Open LUKS Device

Note: I've used the largest cipher and hash available as well as key-size. The defaults are smaller.

cryptsetup luksFormat --hash=sha512 --cipher=aes-cbc-essiv:sha256 --key-size=256 /dev/sda3

Edit the crypttab. The lvm option triggers the lvm on luks during startup. This will setup the LUKS whole disk encryption with an initial passphrase. Once this works the Two Form Factor configuration follows.

echo cryptVault /dev/sda3 none luks,cipher=aes-cbc-essiv:sha256,hash=sha512,lvm=vg00-lvroot >> /etc/crypttab

Open the LUKS partition.

cryptsetup luksOpen /dev/sda3 cryptVault

Setup LVM Data Partitions

Season to taste. The volume sizes will be relevant to your system design goals. Note: When later converting to ubuntu-desktop apt required more space in /var then I had originally allocated. And rather than re-configure apt to use a different cache I just resized /var to +1024MB. The `lvsnap` volume is for creating snapshot volumes for backup purposes. It will not be referenced again in this document. It is there as a reminder to allocate for it before you slice and dice all avialable disk space. [todo: create communityDoc for BackupWithLVMSnaphot] Note: The lvm volumes MUST be of the form `/dev/mapper/vg##-name`. The cryptroot script relies on this naming convention to determine whether or not a volume is LVM and to select the volume group name to activate.

pvcreate /dev/mapper/cryptVault
vgcreate vg00 /dev/mapper/cryptVault
vgchange -a y vg00
lvcreate -L70G -nlvroot vg00
lvcreate -L512M -nlvtmp vg00
lvcreate -L2048M -nlvvar vg00
lvcreate -L512M -nlvhome vg00
lvcreate -L512M -nlvsnap vg00

Tip: If you will be allocating the remaining free extents to a volume do pvdisplay and find the Free PE and use that value in `ĺvcreate -l### -n#SOMEPART`

Apply Filesystems to the Partitions

mkfs.ext3 /dev/vg00/lvroot
mkfs.ext2 /dev/vg00/lvtmp
mkfs.ext3 /dev/vg00/lvvar
mkfs.ext3 /dev/vg00/lvhome
mkfs.ext3 /dev/vg00/lvsnap

Migrate Temporary Installation to Encrypted Volumes

Make Mount Points and Mount LUKS Encrypted LVM Volumes

mkdir /tmp/croot
mount /dev/vg00/lvroot /tmp/croot
mkdir /tmp/croot/tmp
mkdir /tmp/croot/home
mkdir /tmp/croot/var

Note: Due to an Ubuntu quirk `/var/run` and `/var/lock` must exist on the root filesystem during bootstrap/startup. Since we're splitting `/var` from the start we need to kludge for that behavior.

$ mkdir -m 0700 /tmp/croot/var/run
$ mkdir -m 0700 /tmp/croot/var/lock
$ mount /dev/vg00/lvtmp /tmp/croot/tmp
$ mount /dev/vg00/lvvar /tmp/croot/var
$ mount /dev/vg00/lvhome /tmp/croot/home

Copy the Temporary Base Installation to the Encrypted Volumes

cp -ax / /tmp/croot

Mount Special Devices

Mount the following special devices so that when we `chroot` everything will work.

mount -t proc /proc /tmp/croot/proc
mount -o bind /dev /tmp/croot/dev
mount /dev/sda1 /tmp/croot/boot

Change ROOT

chroot /tmp/croot

Edit FSTAB

You should successfully be in the chroot environment and it will be nearly indistinguishable from the first. Don't get confused. Edit the fstab to reflect the desired filesystem layout. Season to taste. Note: The lvm volumes MUST be of the form `/dev/mapper/vg##-name`. The cryptroot script relies on this naming convention to determine whether or not a volume is LVM and to select the volume group name to activate. Also, your fstab configuration listing will likely be different then the one listed. Season to taste.

vi /etc/fstab
# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/sda1	 	/boot           ext3    defaults        0       2
/dev/mapper/vg00-lvroot	/               ext3    defaults	0       1
/dev/mapper/vg00-lvvar		/var            ext3    defaults	0       1
/dev/mapper/vg00-lvtmp		/tmp            ext2    defaults	0       1
/dev/mapper/vg00-lvhome	/home           ext3    defaults	0       1
proc            /proc           proc    defaults        0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0

Edit /boot/grub/menu.lst

Edit grub/menu.lst and update the kopt value. Also, do yourself a favor and just turn splash off. It is nice but for now just complicates the LUKS passphrase prompting on startup.

vi /boot/grub/menu.lst
# kopt=root=/dev/mapper/vg00-lvroot ro
...
# defoptions=quiet

Update initramfs Image

It is vital to have the FSTAB and CRYPTROOT files properly edited. The initramfs scripts for setting up the crypt initrd rely on the settings in these files to generate the appropriate image.

update-initramfs -u ALL

Update GRUB Boot Menu

To get the correct and updated `menu.lst` stanza on the bootloader.

update-grub

Exit CHROOT

If satisfied with the system setup and crypt changes exit out of the chroot environment.

exit

Unmount the New Encrypted Volumes

cd /
umount /tmp/croot/home
umount /tmp/croot/tmp
umount /tmp/croot/var
umount /tmp/croot/boot
umount /tmp/croot/proc
umount /tmp/croot/dev
umount /tmp/croot
vgchange -a n vg00

Reboot

reboot

Single Form Factor LUKS Whole Disk Encrypted Startup

You'll be prompted for the passphrase you used to create the LUKS cryptsetup on `/dev/sda3`. If successfull the system should boot without errors. If you do encounter a problem: 1. Reboot 2. Pause grub w/ <ESC> and edit kernel stanza and change `/dev/mapper/vg00-lvroot` to `/dev/sda2` (Remember we haven't deleted the un-encrypted installation yet.) 3. Boot to `/dev/sda2` 4. Cryptsetup luksOpen `/dev/sda3` 5. Remount the filesystems (Refer to previous step: `Migrate Temporary Installation to Encrypted Volumes`.) 6. Skip the copy step 7. `chroot /tmp/croot` 8. Make your changes and try again


Setup Two Form Factor LUKS Whole Disk Encryption

If you've successfully booted into the single form factor LUKS encrypted whole disk installation then you can continue setting up the system with the USB cryptKey for Two Form Factor authentication.

Edit /etc/crypttab

Edit the `/etc/crypttab` file to reflect the items for Two Form authentication. Use the #FILENAME.luks from the random key step. Include a path if your encrypted USB flash drive filesystem has a directory structure that you are using to manage files. e.g., Under `/mnt/cryptkey/serverkeys` or `/mnt/cryptkey/laptopkey` etc. The #PATH is relative to the mount point. So, #PATH would be `serverkeys/#FILENAME.luks` or `laptopkey/#FILENAME.luks`

echo cryptVault /dev/sda3 /dev/cryptKey luks,cipher=aes-cbc-essiv:sha256,hash=sha512,lvm=vg00-lvroot,keyscript=/bin/usbcryptkey,twoform=/#PATH#FILENAME.luks >> /etc/crypttab

DELETE the original cryptValut entry which doesn't depend on the USB cryptKey

Open USB cryptKey

The `usbcryptkey` script should exist in `/bin`. If you have changed the location for `usbcryptkey` then you'll need to accomodate for that change in the `/etc/crypttab` file you just modified. If not currently mounted the script will prompt for the passphrase and mount the device.

usbcryptkey /dev/cryptKey

Add Random Generated Key

Add the new key file to the root `cryptVault`. This should add to Slot 1. When you add the key you'll be prompted for a passphrase. The passphrase is the one used when setting up `/dev/sda3` not the passphrase used for the USB cryptKey.

cryptsetup luksAddKey /dev/sda3 /mnt/cryptkeys/#PATH#FILENAME.luks

Update initramfs Image

Armed with the settings for Two Form authentication to unlock your system update the initramfs image to contain the new changes.

update-initramfs -u ALL

Close USB cryptKey

cd /
usbcryptkey /dev/cryptKey

Reboot

reboot

Two Form Factor LUKS Whole Disk Encrypted Startup

Until you remove the initial Slot0 key on `/dev/sda3` you can still startup WITHOUT the USB cryptKey. So, if you have problems with the USB cryptKey initial setup, you can discontinue the cryptkeyscript and be prompted for the `/dev/sda3` Slot0 passphrase.

Insert Encrypted USB Flash Drive

1. Insert your USB cryptKey. Note: Depending on your system you may need to wait until after the `Setting up cryptograpic volume cryptVault (based on /dev/sd#)` because the USB device may be identified and assigned `/dev/sda` before the harddrive is identified accurately. 2. If cryptKey found then you'll be prompted for the `USB CryptKey ==>` passphrase to unlock the USB cryptKey. 3. If the USB cryptKey is opened successfully the cryptroot script based on the twoform setting in `/ect/crypttab` will fetch the requested key and procceed to unlock `/dev/sda3` with the random generated key. 4. If you fail to open the USB cryptKey for any reason you can discontinue the cryptkeyscript and be prompted for the /dev/sda3 Slot0 passphrase. Login, make your changes, `update-initramfs -u ALL` and retry.

Setup Encrypted Swap

Now setup the encrypted SWAP which will replace `/dev/sda2`. Caution: Once you convert the temporary root `/dev/sda2` to `swap` you won't be able to make use of the un-encrypted volume for setup work and changes to the encrypted volumes. It'll mean you start from scratch if things go haywire.

Edit /etc/crypttab

echo cryptSwap /dev/sda2 /dev/random swap >> /etc/crypttab

Edit /etc/fstab

Add `/dev/mapper/cryptSwap none swap sw 0 0`

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# /dev/sda1
/dev/sda1	 	/boot           ext3    defaults        0       2
/dev/mapper/cryptSwap	none	swap	sw	0	0
/dev/mapper/vg00-lvroot	/               ext3    defaults	0       1
/dev/mapper/vg00-lvvar		/var            ext3    defaults	0       1
/dev/mapper/vg00-lvtmp		/tmp            ext2    defaults	0       1
/dev/mapper/vg00-lvhome	/home           ext3    defaults	0       1
proc            /proc           proc    defaults        0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0

Update initramfs Image

update-initramfs -u ALL

Radomize SWAP /dev/sda2

There goes the un-encrypted installation... Again, this will take about 15-30 minutes depending on the size of sda2.

dd if=/dev/urandom of=/dev/sda2

Reboot and Confirm Swap

You'll unlock everything again on reboot.

reboot

You should see cryptSwap is active. If not go back to `/etc/fstab` or `/etc/crypttab`.

cat /proc/swaps

FINALIZE with True Two Form Factor

If satisfied with the startup using the USB Crypt``Key remove the passphrase that was initially used for `/dev/sda3` on Slot0. If you remove the initial passphrase from Slot0 and rely on the random generated key stored on the USB Crypt``Key this affords some small plausable deniability. Once your remove the slot0 key form `/dev/sda3` the ONLY key which will unlock the luks device is the 256bit random keyfile located on the USB Crypt``Key device! You can add a passphrase back if you need/want to later but that somewhat defeats the whole purpose.

Mount USB cryptKey and Remove /dev/sda3 Slot0 Key

BE CONFIDENT THAT THE SYSTEM BOOTS FROM THE USB CRYPTKEY DEVICE BEFORE PROCEEDING!! With the USB Crypt``Key still inserted proceed with the Slot0 removal from `/dev/sda3`. After login...

usbcryptkey /dev/cryptKey
cryptsetup --key-file=/mnt/cryptkeys/#PATH#FILENAME.luks luksDelKey /dev/sda3 0

If command successfull then you can unmount the cryptKey.

usbcryptkey /dev/cryptKey

Optional

Install Ubuntu Desktop

It is really quite painless and effective. I'm quite impressed! Enjoy the eye-candy!

apt-get install ubuntu-desktop

Two Form Options

In a more general sense with the twoform option set and the keyscript option referencing any funky script you want to return an available key-file to cryptsetup. The local-top/cryptroot script is expecting it at /mnt/cryptkeys i.e., twoform=/dir1/dir2/keyfile should be placed/linked/mounted into /mnt/cryptkeys with your keyscript

Key Manipulations

The cryptroot changes don't do any memory moves of the key-file. It is just fed as the key-file parameter to cryptsetup.

Potential Security Vulnerabilities/Vectors

1. Unencrypted boot on the host. With boot volume on the host kernel updates are convenient. However, without physical security of the host the initramfs image is vulnerable. That image contains the crypttab file entries exposing the cryptKey device name, the specified key-file and the keyscript file you are using. i.e.,usbcryptkey Unless you take measures to check the boot initramfs image for un-authorized changes an interloper may alter the initramfs boot image and insert code that may intercept and redirect any accessible keys/files. 2. Backup keys. (DON'T store your keys unencrypted.) 3. Caution: `urandom` is not as good as `random` but will cut the time significantly. 4. Increased probability of multiple system compromises with a single USB device containing multiple system keys.

Possible Solutions

1. Boot volume on the same usb flash drive with the keys. This would require some changes to scripts and such.. (Perhaps the 'strongest' protection to the problem. The 'keys' are more likely to stay in your possession.

A hash checksum of the boot kernel and image presented before cryptkey mounting. (Weak - adulterated initramfs image could report original numbers - fake out) It still might be advisable to checksum the /boot after /root mounted. Maybe an unnspecified script to report on the checksum and compare to the previous startup values. Brake booting if different for confirmation of changes. (thinking that the unidentified script would be outside of the initramfs ability to affect...) Encrypted /boot with GRUB able to prompt for passphrases to unlock the LUKS partitions. (Weak? - Now we have to trust GRUB hasn't been attacked. It is integral and bound to the hardrive partitions.) Could GRUB be loaded on a USB device? 2. Don't backup the random keys. Or back them up encrypted somewhere else. (But, backup keys could compromise plausible deniability if discovery of such media/medium exists.) 3. Use 'random' when you can afford the painfull time penalty for encryption. 4. Place the random system keys on individual encrypted USB devices thereby spreading the risks. However, the caveat being increased administration.

Creative Commons License

Author: James B. Crocker EMail: [email protected] [1] This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.