特殊:Badtitle/NS100:FeistyLUKSTwoFormFactor
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/FeistyLUKSTwoFormFactor }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/af | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Afrikaans| [[::FeistyLUKSTwoFormFactor/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ar | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|العربية| [[::FeistyLUKSTwoFormFactor/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/az | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|azərbaycanca| [[::FeistyLUKSTwoFormFactor/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/bcc | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|جهلسری بلوچی| [[::FeistyLUKSTwoFormFactor/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/bg | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|български| [[::FeistyLUKSTwoFormFactor/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/br | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|brezhoneg| [[::FeistyLUKSTwoFormFactor/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ca | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|català| [[::FeistyLUKSTwoFormFactor/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/cs | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|čeština| [[::FeistyLUKSTwoFormFactor/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/de | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Deutsch| [[::FeistyLUKSTwoFormFactor/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/el | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Ελληνικά| [[::FeistyLUKSTwoFormFactor/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/es | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|español| [[::FeistyLUKSTwoFormFactor/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/fa | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|فارسی| [[::FeistyLUKSTwoFormFactor/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/fi | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|suomi| [[::FeistyLUKSTwoFormFactor/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/fr | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|français| [[::FeistyLUKSTwoFormFactor/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/gu | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|ગુજરાતી| [[::FeistyLUKSTwoFormFactor/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/he | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|עברית| [[::FeistyLUKSTwoFormFactor/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/hu | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|magyar| [[::FeistyLUKSTwoFormFactor/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/id | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Bahasa Indonesia| [[::FeistyLUKSTwoFormFactor/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/it | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|italiano| [[::FeistyLUKSTwoFormFactor/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ja | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|日本語| [[::FeistyLUKSTwoFormFactor/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ko | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|한국어| [[::FeistyLUKSTwoFormFactor/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ksh | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Ripoarisch| [[::FeistyLUKSTwoFormFactor/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/mr | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|मराठी| [[::FeistyLUKSTwoFormFactor/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ms | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Bahasa Melayu| [[::FeistyLUKSTwoFormFactor/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/nl | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Nederlands| [[::FeistyLUKSTwoFormFactor/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/no | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|norsk| [[::FeistyLUKSTwoFormFactor/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/oc | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|occitan| [[::FeistyLUKSTwoFormFactor/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/pl | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|polski| [[::FeistyLUKSTwoFormFactor/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/pt | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|português| [[::FeistyLUKSTwoFormFactor/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ro | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|română| [[::FeistyLUKSTwoFormFactor/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/ru | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|русский| [[::FeistyLUKSTwoFormFactor/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/si | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|සිංහල| [[::FeistyLUKSTwoFormFactor/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/sq | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|shqip| [[::FeistyLUKSTwoFormFactor/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/sr | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|српски / srpski| [[::FeistyLUKSTwoFormFactor/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/sv | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|svenska| [[::FeistyLUKSTwoFormFactor/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/th | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|ไทย| [[::FeistyLUKSTwoFormFactor/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/tr | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Türkçe| [[::FeistyLUKSTwoFormFactor/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/vi | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|Tiếng Việt| [[::FeistyLUKSTwoFormFactor/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/yue | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|粵語| [[::FeistyLUKSTwoFormFactor/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/zh | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|中文| [[::FeistyLUKSTwoFormFactor/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/zh-hans | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|中文(简体)| [[::FeistyLUKSTwoFormFactor/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor | UbuntuHelp:FeistyLUKSTwoFormFactor | {{#if: | :}}FeistyLUKSTwoFormFactor}}/zh-hant | • {{#if: UbuntuHelp:FeistyLUKSTwoFormFactor|中文(繁體)| [[::FeistyLUKSTwoFormFactor/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:FeistyLUKSTwoFormFactor|:FeistyLUKSTwoFormFactor|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :FeistyLUKSTwoFormFactor/zh | | {{#ifexist: FeistyLUKSTwoFormFactor/zh | | {{#ifeq: {{#titleparts:FeistyLUKSTwoFormFactor|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:FeistyLUKSTwoFormFactor|1|-1|}} | zh | | }}
Two Form Factor Authentication and LUKS Whole Disk Encryption with Feisty Fawn 7.04
Skill: High Complexity: High estTimeToComplete: 3.5 hours (ex. radomizing disks) Two Form Factor authentication in general relies on something you have and something you know. I'll detail a means of creating an encrypted USB flash drive that will then contain the keys for unlocking and booting your systems. The encrypted USB flash drive containing the system keys will be what you have and the passphrase to unlock the encrypted USB flash drive to retrieve the system keys will be what you know. Feisty Fawn 7.04 (Server,Desktop,Alternative) do not offer first time installation to an encrypted volume. There are alternative methods available to install Feisty Fawn onto an encrypted whole disk system. The cryptsetup scripts are capable of utilizing a non-encrypted USB flash drive. However, they are not coded yet to handle twoform authentication which requires additional user prompting. This 'howto' details creating an encrypted USB flash drive, installing Feisty Fawn onto an encrypted whole disk system and finally configuring the two form factor authentication for the system startup using the encrypted USB flash drive.
Consider these excellent documents for related encryption information and methods. | > |
Install Feisty Fawn 7.04 SERVER on Temporary Partition
Even if you intend to use Feisty Fawn as a 'desktop' system, installing the server version first reduces installation times, minimizes the disk consumed and avoids the initial clutter of a gui desktop for the encrypted setup. There is an included optional step towards the very end which will install the ubuntu-desktop. The boot volume /boot must be unecrypted as grub can't handle decrypting a boot partition. So, create 3 primary partitions. Use the /dev/sda2 partition as the tempoary unencrypted root / volume to begin. /dev/sda2 will later be used for the encrypted swap partition. So, size /dev/sda2 to accomodate the minimum server installation ~600MB and the maximum of what you want set for swap. (Rule of thumb 1.5 to 2 times physical RAM). Pre-Encrypt Partitions:
/dev/sda1 255M ext3 primary /boot /dev/sda2 2048M ext3 primary / /dev/sda3 AllRemaingSpace primary unused
Note: You will be root for all commands. i.e., $ sudo -i after each login.
Install Base
There is a wealth of documentation for installing Ubuntu Feisty Fawn 7.04 Server. Please refer to those documents if neccessary.
Update, Install Cryptsetup and LVM2, Upgrade
With the base installation completed login and update the package listing. Install cryptsetup and lvm2 for creating and managing the LUKS whole disk encryption.
Setup APT
Uncomment the deb resources for multiverse and universe.
vi /etc/apt/sources.list
Update and Reboot
apt-get update apt-get install cryptsetup lvm2 patchutils apt-get upgrade reboot
Creating Encrypeted USB Flash Drive
Create UDEV Mapping
Each computer system will report and mount your USB flash drive differently. e.g., /dev/sda or /dev/sdb To avoid constant changes in the cryptsetup's initramfs scripts which rely on the the USB flash drive create a common device name for your USB flash drive on each system you intend to lock.
Find USB Flash Drive Serial ID
Insert the USB flash drive you will be using. The USB will trigger a udev scan and will report the deivce name to the console. e.g., /dev/sdb. Armed with the device retrieve the device information and look for your USB flash drive manufacturer and associated serial number.
udevinfo -a -p $(udevinfo -q path -n /dev/sdb) ... ATTRS{serial}=="#######################" ATTRS{product}=="SUPERFLY" ATTRS{manufacturer}=="LEXAR" ...
Add USB Flash Drive Serial ID to UDEV Rules
Add the USB flash drive serial id and the common name to `/etc/udev/rules.d/65-persistent-storage.rules` and rescan the devices. The modified cryptsetup scripts use `/dev/cryptKey`. If you change the naming you'll need to modify those scripts.
vi /etc/udev/rules.d/65-persistent-storage.rules
Insert the following somewhere before the end label `LABEL="persistent_storage_end"`.
KERNEL=="sd*|sr*|st*", ATTRS{serial}=="######################"", SYMLINK+="cryptKey%n"
Trigger and look for the common name device for your USB flash drive.
udevtrigger ls /dev/cryptKey
The list command should have successfully returned `/dev/cryptKey`. Do not continue until this is correct.
Create LUKS Partition with EXT2 Filesystem
modprobe dm_crypt cryptsetup luksFormat --hash=sha512 --cipher=aes-cbc-essiv:sha256 --key-size=256 /dev/cryptKey cryptsetup luksOpen /dev/cryptKey cryptkeys mkfs.ext2 /dev/mapper/cryptkeys mkdir /mnt/cryptkeys mount -t ext2 /dev/mapper/cryptkeys /mnt/cryptkeys
Generate Random Machine Key
Create a random key that will eventually be used to lock/unlock this system and store it on the opened and mounted encrypted USB flash drive. Replace #FILENAME with the name of your choosing. It will be used in later system configurations.
cd /mnt/cryptkeys dd if=/dev/random of=#FILENAME.luks bs=1 count=256
Install usbcryptkey Script
`usbcryptkey` will ease the mounting/unmounting of the LUKS encrypted USB flash drive. It will be called during the `initramfs/local-top/cryptroot` call at startup.
vi /bin/usbcryptkey
#!/bin/sh # CryptKey value sent from cryptroot # Contains the devicename # LUKS Options # Could pull from cryptroot but this allows for the 'USB Key' to be setup # differently than the crypt volumes it is unlocking. LUKS_OPTS="--readonly --cipher=aes-cbc-essiv:sha256 --hash=sha512 --key-size=256" # Get the device name DEVNAME=$1 # Likely not needed if called from cryptroot correctly # but it doesn't hurt. modprobe -q dm_crypt mount_usbcryptkey () { # Wait for the USB Device # PREREQ udev for cryptroot # If the USB Device hasn't been created wait a bit. count=0 while [ $count -lt 3 ]; do count=$(( $count + 1 )) if [ ! -e $DEVNAME ]; then sleep 5 else break fi done # Check device is LUKS format cryptsetup isLuks $DEVNAME if [ $? -ne 0 ]; then echo "CryptKey device $DEVNAME is not LUKS formated!" exit 1 fi # Open the USB key count=0 openstat=0 while [ $count -lt 3 ]; do count=$(( $count + 1 )) if [ ! -e /dev/mapper/theKeys ]; then echo -n "USB CryptKey ==> " cryptsetup luksOpen $DEVNAME theKeys < /dev/console openstat=$? else break fi done # If it didn't open don't try anything else. if [ $openstat -ne 0 ]; then exit $openstat fi # Mount the opened USB if [ ! -d /mnt/cryptkeys ]; then mkdir -p -m 0700 /mnt/cryptkeys > /dev/null 2>&1 fi count=0 while [ $count -lt 3 ]; do count=$(( $count + 1 )) if [ ! -e /dev/mapper/theKeys ]; then sleep 5 else mount -n -r -t ext2 /dev/mapper/theKeys /mnt/cryptkeys > /dev/null 2>&1 break fi done } umount_usbcryptkey () { # Unmount and close the USB Keys umount /mnt/cryptkeys > /dev/null 2>&1 cryptsetup luksClose theKeys > /dev/null 2>&1 } # Begin work... # If the device is mounted UNMOUNT it. # If the device is not mounted MOUNT it. if [ -z $1 ]; then echo "No device specified!" echo "usbcryptkey DEVNAME" exit 1; fi if [ -r /dev/mapper/theKeys ]; then umount_usbcryptkey exit 0; else mount_usbcryptkey exit 0; fi
Now make the file executable.
chmod 750 /bin/usbcryptkey
Modify Cryptsetup Scripts
You should have a bootable, stable server installation and and encrypted USB flash drive completed. The Feisty Fawn 7.04 cryptsetup scripts do not contain enough code to address an interactive two form factor authentication. A set of scripts must be modified.
Copy the diff into a temporary patch file and apply.
vi /tmp/patch1
--- cryptroot.orig 2007-04-14 17:52:22.000000000 -0500 +++ cryptroot 2007-07-03 18:32:16.000000000 -0500 @@ -156,6 +156,7 @@ extraopts="$2" KEYSCRIPT="" OPTIONS="" + TWOFORM=0 if [ -z "$target" ]; then echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2 @@ -223,6 +224,10 @@ opt=$(basename "$opt") OPTIONS="$OPTIONS,keyscript=/keyscripts/$opt" ;; + twoform=*) + OPTIONS="$OPTIONS,$opt" + TWOFORM=1 + ;; *) # Presumably a non-supported option ;; @@ -234,6 +239,14 @@ echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2 return 1 fi + + # If twoform set then it depends on "key" and KEYSCRIPT + if [ $TWOFORM -eq 1 ]; then + if [ "$key" = "none" ] || [ -z "$KEYSCRIPT" ]; then + echo "cryptsetup: WARNING: target $target uses twoform and depends on key and keyscript, skipped" >&2 + return 1 + fi + fi } get_device_modules() {
patch -b -l /usr/share/initramfs-tools/hooks/cryptroot < /tmp/patch1
Copy the diff into a temporary patch file and apply. vgchange doesn't exist in the initramfs so but lvm does.
vi /tmp/patch2
--- cryptroot.orig 2007-04-14 17:52:22.000000000 -0500 +++ cryptroot 2007-07-03 18:33:33.000000000 -0500 @@ -43,6 +43,7 @@ cryptlvm="" cryptkeyscript="" cryptkey="" # This is only used as an argument to an eventual keyscript + crypttwoform="" # TwoForm factor local IFS=" ," for x in $cryptopts; do @@ -68,6 +69,9 @@ keyscript=*) cryptkeyscript=${x#keyscript=} ;; + twoform=*) + crypttwoform=${x#twoform=} + ;; key=*) if [ "${x#key=}" != "none" ]; then cryptkey=${x#key=} @@ -89,7 +93,7 @@ vg="${1#/dev/mapper/}" # Sanity checks - if [ ! -x /sbin/vgchange ] || [ "$vg" = "$1" ]; then + if [ ! -x /sbin/lvm ] || [ "$vg" = "$1" ]; then return 1 fi @@ -104,7 +108,7 @@ # Reduce padded --'s to -'s vg=$(echo ${vg} | sed -e 's#--#-#g') - vgchange -ay ${vg} + lvm vgchange -ay ${vg} return $? } @@ -189,6 +193,7 @@ # Try to get a satisfactory password three times count=0 + ckscon=y while [ $count -lt 3 ]; do count=$(( $count + 1 )) @@ -200,23 +205,38 @@ sleep 2 fi - if [ -n "$cryptkeyscript" ]; then + if [ -n "$cryptkeyscript" ] && [ "$ckscon" = "y" ]; then if [ ! -x "$cryptkeyscript" ]; then echo "cryptsetup: error - $cryptkeyscript missing" return 1 fi - $cryptkeyscript $cryptkey < /dev/console | $cryptcreate --key-file=- + + if [ -z $crypttwoform ]; then + $cryptkeyscript $cryptkey < /dev/console | $cryptcreate --key-file=- + else + $cryptkeyscript $cryptkey < /dev/console + $cryptcreate --key-file=/mnt/cryptkeys$crypttwoform + fi else $cryptcreate < /dev/console fi if [ $? -ne 0 ]; then echo "cryptsetup: cryptsetup failed, bad password or options?" + if [ -n "$cryptkeyscript" ]; then + echo -n "Continue using the cryptkeyscript? [y/n]: " + read ckscon < /dev/console + fi + sleep 3 continue elif [ ! -e "$NEWROOT" ]; then echo "cryptsetup: unknown error setting up device mapping" return 1 + elif [ -n $crypttwoform ] && [ -n $cryptkeyscript ] && [ -e $cryptkey ]; then + # The keyscript was called at least once so call the + # keyscript again to unmount the usb cryptkey device. + $cryptkeyscript $cryptkey fi FSTYPE=''
patch -b -l /usr/share/initramfs-tools/scripts/local-top/cryptroot < /tmp/patch2
There is a quirk whereby the lvm-on-luks mappings are overwritten with the `/dev` filesystem is remounted for read write. We need `mapper` for the lvm mounts to funtion on boot.
vi /tmp/patch3
--- udev.orig 2007-04-10 09:03:36.000000000 -0500 +++ udev 2007-07-03 18:13:46.000000000 -0500 @@ -27,5 +27,5 @@ # Move the real filesystem's /dev to beneath our tmpfs, then move it all # to the real filesystem mkdir -m 0700 -p /dev/.static/dev -mount -n -o bind ${rootmnt}/dev /dev/.static/dev +mount -n -o bind /dev/.static/dev ${rootmnt}/dev mount -n -o move /dev ${rootmnt}/dev
patch -b -l /usr/share/initramfs-tools/scripts/init-bottom/udev < /tmp/patch3
After patching, if backups were created, remove them so as not to 'corrupt' the initramfs build.
rm /usr/share/initramfs-tools/scripts/local-top/cryptroot.orig rm /usr/share/initramfs-tools/hooks/cryptroot.orig rm /usr/share/initramfs-tools/scripts/init-bottom/udev.orig
Create LUKS/LVM Volumes on Unused Partition
Randomize the Unused Partition
To obscure use of the volume randomize the partition befor using it. Caution: `urandom` is not as good as `random` but will cut the time significantly. Note: This will take a considerable amount of time and is proporational to the volume size. e.g., Radomizing 1.5TB ~2Days.
dd if=/dev/urandom of=/dev/sda3
Go find something fun to do outside!
Create and Open LUKS Device
Note: I've used the largest cipher and hash available as well as key-size. The defaults are smaller.
cryptsetup luksFormat --hash=sha512 --cipher=aes-cbc-essiv:sha256 --key-size=256 /dev/sda3
Edit the crypttab. The lvm option triggers the lvm on luks during startup. This will setup the LUKS whole disk encryption with an initial passphrase. Once this works the Two Form Factor configuration follows.
echo cryptVault /dev/sda3 none luks,cipher=aes-cbc-essiv:sha256,hash=sha512,lvm=vg00-lvroot >> /etc/crypttab
Open the LUKS partition.
cryptsetup luksOpen /dev/sda3 cryptVault
Setup LVM Data Partitions
Season to taste. The volume sizes will be relevant to your system design goals. Note: When later converting to ubuntu-desktop apt required more space in /var then I had originally allocated. And rather than re-configure apt to use a different cache I just resized /var to +1024MB. The `lvsnap` volume is for creating snapshot volumes for backup purposes. It will not be referenced again in this document. It is there as a reminder to allocate for it before you slice and dice all avialable disk space. [todo: create communityDoc for BackupWithLVMSnaphot] Note: The lvm volumes MUST be of the form `/dev/mapper/vg##-name`. The cryptroot script relies on this naming convention to determine whether or not a volume is LVM and to select the volume group name to activate.
pvcreate /dev/mapper/cryptVault vgcreate vg00 /dev/mapper/cryptVault vgchange -a y vg00 lvcreate -L70G -nlvroot vg00 lvcreate -L512M -nlvtmp vg00 lvcreate -L2048M -nlvvar vg00 lvcreate -L512M -nlvhome vg00 lvcreate -L512M -nlvsnap vg00
Tip: If you will be allocating the remaining free extents to a volume do pvdisplay and find the Free PE and use that value in `ĺvcreate -l### -n#SOMEPART`
Apply Filesystems to the Partitions
mkfs.ext3 /dev/vg00/lvroot mkfs.ext2 /dev/vg00/lvtmp mkfs.ext3 /dev/vg00/lvvar mkfs.ext3 /dev/vg00/lvhome mkfs.ext3 /dev/vg00/lvsnap
Migrate Temporary Installation to Encrypted Volumes
Make Mount Points and Mount LUKS Encrypted LVM Volumes
mkdir /tmp/croot mount /dev/vg00/lvroot /tmp/croot mkdir /tmp/croot/tmp mkdir /tmp/croot/home mkdir /tmp/croot/var
Note: Due to an Ubuntu quirk `/var/run` and `/var/lock` must exist on the root filesystem during bootstrap/startup. Since we're splitting `/var` from the start we need to kludge for that behavior.
$ mkdir -m 0700 /tmp/croot/var/run $ mkdir -m 0700 /tmp/croot/var/lock
$ mount /dev/vg00/lvtmp /tmp/croot/tmp $ mount /dev/vg00/lvvar /tmp/croot/var $ mount /dev/vg00/lvhome /tmp/croot/home
Copy the Temporary Base Installation to the Encrypted Volumes
cp -ax / /tmp/croot
Mount Special Devices
Mount the following special devices so that when we `chroot` everything will work.
mount -t proc /proc /tmp/croot/proc mount -o bind /dev /tmp/croot/dev mount /dev/sda1 /tmp/croot/boot
Change ROOT
chroot /tmp/croot
Edit FSTAB
You should successfully be in the chroot environment and it will be nearly indistinguishable from the first. Don't get confused. Edit the fstab to reflect the desired filesystem layout. Season to taste. Note: The lvm volumes MUST be of the form `/dev/mapper/vg##-name`. The cryptroot script relies on this naming convention to determine whether or not a volume is LVM and to select the volume group name to activate. Also, your fstab configuration listing will likely be different then the one listed. Season to taste.
vi /etc/fstab
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> /dev/sda1 /boot ext3 defaults 0 2 /dev/mapper/vg00-lvroot / ext3 defaults 0 1 /dev/mapper/vg00-lvvar /var ext3 defaults 0 1 /dev/mapper/vg00-lvtmp /tmp ext2 defaults 0 1 /dev/mapper/vg00-lvhome /home ext3 defaults 0 1 proc /proc proc defaults 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0
Edit grub/menu.lst and update the kopt value. Also, do yourself a favor and just turn splash off. It is nice but for now just complicates the LUKS passphrase prompting on startup.
vi /boot/grub/menu.lst
# kopt=root=/dev/mapper/vg00-lvroot ro ... # defoptions=quiet
Update initramfs Image
It is vital to have the FSTAB and CRYPTROOT files properly edited. The initramfs scripts for setting up the crypt initrd rely on the settings in these files to generate the appropriate image.
update-initramfs -u ALL
Update GRUB Boot Menu
To get the correct and updated `menu.lst` stanza on the bootloader.
update-grub
Exit CHROOT
If satisfied with the system setup and crypt changes exit out of the chroot environment.
exit
Unmount the New Encrypted Volumes
cd / umount /tmp/croot/home umount /tmp/croot/tmp umount /tmp/croot/var umount /tmp/croot/boot umount /tmp/croot/proc umount /tmp/croot/dev umount /tmp/croot vgchange -a n vg00
Reboot
reboot
Single Form Factor LUKS Whole Disk Encrypted Startup
You'll be prompted for the passphrase you used to create the LUKS cryptsetup on `/dev/sda3`. If successfull the system should boot without errors. If you do encounter a problem: 1. Reboot 2. Pause grub w/ <ESC> and edit kernel stanza and change `/dev/mapper/vg00-lvroot` to `/dev/sda2` (Remember we haven't deleted the un-encrypted installation yet.) 3. Boot to `/dev/sda2` 4. Cryptsetup luksOpen `/dev/sda3` 5. Remount the filesystems (Refer to previous step: `Migrate Temporary Installation to Encrypted Volumes`.) 6. Skip the copy step 7. `chroot /tmp/croot` 8. Make your changes and try again
Setup Two Form Factor LUKS Whole Disk Encryption
If you've successfully booted into the single form factor LUKS encrypted whole disk installation then you can continue setting up the system with the USB cryptKey for Two Form Factor authentication.
Edit /etc/crypttab
Edit the `/etc/crypttab` file to reflect the items for Two Form authentication. Use the #FILENAME.luks from the random key step. Include a path if your encrypted USB flash drive filesystem has a directory structure that you are using to manage files. e.g., Under `/mnt/cryptkey/serverkeys` or `/mnt/cryptkey/laptopkey` etc. The #PATH is relative to the mount point. So, #PATH would be `serverkeys/#FILENAME.luks` or `laptopkey/#FILENAME.luks`
echo cryptVault /dev/sda3 /dev/cryptKey luks,cipher=aes-cbc-essiv:sha256,hash=sha512,lvm=vg00-lvroot,keyscript=/bin/usbcryptkey,twoform=/#PATH#FILENAME.luks >> /etc/crypttab
DELETE the original cryptValut entry which doesn't depend on the USB cryptKey
Open USB cryptKey
The `usbcryptkey` script should exist in `/bin`. If you have changed the location for `usbcryptkey` then you'll need to accomodate for that change in the `/etc/crypttab` file you just modified. If not currently mounted the script will prompt for the passphrase and mount the device.
usbcryptkey /dev/cryptKey
Add Random Generated Key
Add the new key file to the root `cryptVault`. This should add to Slot 1. When you add the key you'll be prompted for a passphrase. The passphrase is the one used when setting up `/dev/sda3` not the passphrase used for the USB cryptKey.
cryptsetup luksAddKey /dev/sda3 /mnt/cryptkeys/#PATH#FILENAME.luks
Update initramfs Image
Armed with the settings for Two Form authentication to unlock your system update the initramfs image to contain the new changes.
update-initramfs -u ALL
Close USB cryptKey
cd / usbcryptkey /dev/cryptKey
Reboot
reboot
Two Form Factor LUKS Whole Disk Encrypted Startup
Until you remove the initial Slot0 key on `/dev/sda3` you can still startup WITHOUT the USB cryptKey. So, if you have problems with the USB cryptKey initial setup, you can discontinue the cryptkeyscript and be prompted for the `/dev/sda3` Slot0 passphrase.
Insert Encrypted USB Flash Drive
1. Insert your USB cryptKey. Note: Depending on your system you may need to wait until after the `Setting up cryptograpic volume cryptVault (based on /dev/sd#)` because the USB device may be identified and assigned `/dev/sda` before the harddrive is identified accurately. 2. If cryptKey found then you'll be prompted for the `USB CryptKey ==>` passphrase to unlock the USB cryptKey. 3. If the USB cryptKey is opened successfully the cryptroot script based on the twoform setting in `/ect/crypttab` will fetch the requested key and procceed to unlock `/dev/sda3` with the random generated key. 4. If you fail to open the USB cryptKey for any reason you can discontinue the cryptkeyscript and be prompted for the /dev/sda3 Slot0 passphrase. Login, make your changes, `update-initramfs -u ALL` and retry.
Setup Encrypted Swap
Now setup the encrypted SWAP which will replace `/dev/sda2`. Caution: Once you convert the temporary root `/dev/sda2` to `swap` you won't be able to make use of the un-encrypted volume for setup work and changes to the encrypted volumes. It'll mean you start from scratch if things go haywire.
Edit /etc/crypttab
echo cryptSwap /dev/sda2 /dev/random swap >> /etc/crypttab
Edit /etc/fstab
Add `/dev/mapper/cryptSwap none swap sw 0 0`
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> # /dev/sda1 /dev/sda1 /boot ext3 defaults 0 2 /dev/mapper/cryptSwap none swap sw 0 0 /dev/mapper/vg00-lvroot / ext3 defaults 0 1 /dev/mapper/vg00-lvvar /var ext3 defaults 0 1 /dev/mapper/vg00-lvtmp /tmp ext2 defaults 0 1 /dev/mapper/vg00-lvhome /home ext3 defaults 0 1 proc /proc proc defaults 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0
Update initramfs Image
update-initramfs -u ALL
Radomize SWAP /dev/sda2
There goes the un-encrypted installation... Again, this will take about 15-30 minutes depending on the size of sda2.
dd if=/dev/urandom of=/dev/sda2
Reboot and Confirm Swap
You'll unlock everything again on reboot.
reboot
You should see cryptSwap is active. If not go back to `/etc/fstab` or `/etc/crypttab`.
cat /proc/swaps
FINALIZE with True Two Form Factor
If satisfied with the startup using the USB Crypt``Key remove the passphrase that was initially used for `/dev/sda3` on Slot0. If you remove the initial passphrase from Slot0 and rely on the random generated key stored on the USB Crypt``Key this affords some small plausable deniability. Once your remove the slot0 key form `/dev/sda3` the ONLY key which will unlock the luks device is the 256bit random keyfile located on the USB Crypt``Key device! You can add a passphrase back if you need/want to later but that somewhat defeats the whole purpose.
Mount USB cryptKey and Remove /dev/sda3 Slot0 Key
BE CONFIDENT THAT THE SYSTEM BOOTS FROM THE USB CRYPTKEY DEVICE BEFORE PROCEEDING!! With the USB Crypt``Key still inserted proceed with the Slot0 removal from `/dev/sda3`. After login...
usbcryptkey /dev/cryptKey cryptsetup --key-file=/mnt/cryptkeys/#PATH#FILENAME.luks luksDelKey /dev/sda3 0
If command successfull then you can unmount the cryptKey.
usbcryptkey /dev/cryptKey
Optional
Install Ubuntu Desktop
It is really quite painless and effective. I'm quite impressed! Enjoy the eye-candy!
apt-get install ubuntu-desktop
Two Form Options
In a more general sense with the twoform option set and the keyscript option referencing any funky script you want to return an available key-file to cryptsetup. The local-top/cryptroot script is expecting it at /mnt/cryptkeys i.e., twoform=/dir1/dir2/keyfile should be placed/linked/mounted into /mnt/cryptkeys with your keyscript
Key Manipulations
The cryptroot changes don't do any memory moves of the key-file. It is just fed as the key-file parameter to cryptsetup.
Potential Security Vulnerabilities/Vectors
1. Unencrypted boot on the host. With boot volume on the host kernel updates are convenient. However, without physical security of the host the initramfs image is vulnerable. That image contains the crypttab file entries exposing the cryptKey device name, the specified key-file and the keyscript file you are using. i.e.,usbcryptkey Unless you take measures to check the boot initramfs image for un-authorized changes an interloper may alter the initramfs boot image and insert code that may intercept and redirect any accessible keys/files. 2. Backup keys. (DON'T store your keys unencrypted.) 3. Caution: `urandom` is not as good as `random` but will cut the time significantly. 4. Increased probability of multiple system compromises with a single USB device containing multiple system keys.
Possible Solutions
1. Boot volume on the same usb flash drive with the keys. This would require some changes to scripts and such.. (Perhaps the 'strongest' protection to the problem. The 'keys' are more likely to stay in your possession.
A hash checksum of the boot kernel and image presented before cryptkey mounting. (Weak - adulterated initramfs image could report original numbers - fake out) It still might be advisable to checksum the /boot after /root mounted. Maybe an unnspecified script to report on the checksum and compare to the previous startup values. Brake booting if different for confirmation of changes. (thinking that the unidentified script would be outside of the initramfs ability to affect...) Encrypted /boot with GRUB able to prompt for passphrases to unlock the LUKS partitions. (Weak? - Now we have to trust GRUB hasn't been attacked. It is integral and bound to the hardrive partitions.) Could GRUB be loaded on a USB device? 2. Don't backup the random keys. Or back them up encrypted somewhere else. (But, backup keys could compromise plausible deniability if discovery of such media/medium exists.) 3. Use 'random' when you can afford the painfull time penalty for encryption. 4. Place the random system keys on individual encrypted USB devices thereby spreading the risks. However, the caveat being increased administration.
Creative Commons License
Author: James B. Crocker EMail: [email protected] [1] This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.