* [dm-crypt] Using a keyfile with full disk encryption
@ 2016-10-04 8:37 Tim Kerby
2016-10-04 15:43 ` Arno Wagner
0 siblings, 1 reply; 4+ messages in thread
From: Tim Kerby @ 2016-10-04 8:37 UTC (permalink / raw)
To: dm-crypt
I've enabled full disk encryption on a recent server install of Ubuntu (using the checkbox in the installer). This is there mainly for security when disks are replaced
Unfortunately, we've had a few power failures and the requirement to enter the passphrase for LUKS at the physical terminal is an issue.
I'd be happy to keep a keyfile on a USB key or SD card as I could mount these internal to the server which is physically secured
Is there a method to ensure the USB key is mounted prior to the password prompt and adding the keyfile as an additional method at startup?
Thanks
Tim
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Using a keyfile with full disk encryption
2016-10-04 8:37 [dm-crypt] Using a keyfile with full disk encryption Tim Kerby
@ 2016-10-04 15:43 ` Arno Wagner
2016-10-06 18:21 ` [dm-crypt] Using a keyfile with full disk encryption (saout: to exclusive) Diagon
0 siblings, 1 reply; 4+ messages in thread
From: Arno Wagner @ 2016-10-04 15:43 UTC (permalink / raw)
To: dm-crypt
Hi Tim,
full disk encryption is provided by your distribution, usually
by some mechanism in the initrd. This is out of scope for this
mailing-list here.
However I can tell you that I have personally done something
similar to what you want.
What you need to do is either drop to a shell in the initrd
and mount the usb-key using that, or that you modify the
code in the initrd to mount that USB-stick and read the passphrase
from it. The other thing you could do with a remotely-accessible
shell in the initrd is that you could use that to
mount the encrypted volumes manually yourself and then
continue the root process, on debian with something like this:
exec switch_root /mnt/root /sbin/init
You copuld also hardcode the passprase in the initrd and
place initrd and kernel on that USB-key. That is what I have
done.
I can give you a bit of background about what a Debian initrd
looks like, and Ubuntu may be similar. All action happens in
/init, which on the initrd is a shell-script executed
by busybox and hence pretty straight-forward to change. For
testing, I just used the following "init". You can use something
like this to find out what commands work. After that
you can put in your custom init instead. You can also add
binaries to teh initrd, but you must make sure they are
either statically compiled or all libraries are there.
----
#!/bin/sh
export PATH=/sbin:/bin
[ -d /sys ] || mkdir /sys
[ -d /proc ] || mkdir /proc
[ -d /tmp ] || mkdir /tmp
mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
mount -t proc -o nodev,noexec,nosuid proc /proc
echo
echo "initrd is running"
echo "Using BusyBox..."
echo
exec /bin/ash --login
----
Now, how do you create or modify an initrd? Best reference I
have is this one here:
http://www.thegeekstuff.com/2009/07/how-to-view-modify-and-recreate-initrd-img/
Regards,
Arno
On Tue, Oct 04, 2016 at 10:37:36 CEST, Tim Kerby wrote:
> I've enabled full disk encryption on a recent server install of Ubuntu
> (using the checkbox in the installer). This is there mainly for security
> when disks are replaced
>
> Unfortunately, we've had a few power failures and the requirement to enter
> the passphrase for LUKS at the physical terminal is an issue.
>
> I'd be happy to keep a keyfile on a USB key or SD card as I could mount
> these internal to the server which is physically secured
>
> Is there a method to ensure the USB key is mounted prior to the password
> prompt and adding the keyfile as an additional method at startup?
>
> Thanks
>
> Tim
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Using a keyfile with full disk encryption (saout: to exclusive)
2016-10-04 15:43 ` Arno Wagner
@ 2016-10-06 18:21 ` Diagon
0 siblings, 0 replies; 4+ messages in thread
From: Diagon @ 2016-10-06 18:21 UTC (permalink / raw)
To: dm-crypt
This might do you:
http://grub.johnlane.ie/
/D
On 10/04/2016 11:43 AM, Arno Wagner - arno@wagner.name wrote:
> Hi Tim,
>
> full disk encryption is provided by your distribution, usually
> by some mechanism in the initrd. This is out of scope for this
> mailing-list here.
>
> However I can tell you that I have personally done something
> similar to what you want.
>
> What you need to do is either drop to a shell in the initrd
> and mount the usb-key using that, or that you modify the
> code in the initrd to mount that USB-stick and read the passphrase
> from it. The other thing you could do with a remotely-accessible
> shell in the initrd is that you could use that to
> mount the encrypted volumes manually yourself and then
> continue the root process, on debian with something like this:
>
> exec switch_root /mnt/root /sbin/init
>
> You copuld also hardcode the passprase in the initrd and
> place initrd and kernel on that USB-key. That is what I have
> done.
>
> I can give you a bit of background about what a Debian initrd
> looks like, and Ubuntu may be similar. All action happens in
> /init, which on the initrd is a shell-script executed
> by busybox and hence pretty straight-forward to change. For
> testing, I just used the following "init". You can use something
> like this to find out what commands work. After that
> you can put in your custom init instead. You can also add
> binaries to teh initrd, but you must make sure they are
> either statically compiled or all libraries are there.
>
> ----
> #!/bin/sh
>
> export PATH=/sbin:/bin
> [ -d /sys ] || mkdir /sys
> [ -d /proc ] || mkdir /proc
> [ -d /tmp ] || mkdir /tmp
> mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
> mount -t proc -o nodev,noexec,nosuid proc /proc
>
> echo
> echo "initrd is running"
> echo "Using BusyBox..."
> echo
> exec /bin/ash --login
> ----
>
> Now, how do you create or modify an initrd? Best reference I
> have is this one here:
>
> http://www.thegeekstuff.com/2009/07/how-to-view-modify-and-recreate-initrd-img/
>
> Regards,
> Arno
>
>
>
>
> On Tue, Oct 04, 2016 at 10:37:36 CEST, Tim Kerby wrote:
>> I've enabled full disk encryption on a recent server install of Ubuntu
>> (using the checkbox in the installer). This is there mainly for security
>> when disks are replaced
>>
>> Unfortunately, we've had a few power failures and the requirement to enter
>> the passphrase for LUKS at the physical terminal is an issue.
>>
>> I'd be happy to keep a keyfile on a USB key or SD card as I could mount
>> these internal to the server which is physically secured
>>
>> Is there a method to ensure the USB key is mounted prior to the password
>> prompt and adding the keyfile as an additional method at startup?
>>
>> Thanks
>>
>> Tim
>>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [dm-crypt] Using a keyfile with full disk encryption
@ 2016-10-04 8:08 Tim Kerby
0 siblings, 0 replies; 4+ messages in thread
From: Tim Kerby @ 2016-10-04 8:08 UTC (permalink / raw)
To: dm-crypt
I've enabled full disk encryption on a recent server install of Ubuntu (using the checkbox in the installer). This is there mainly for security when disks are replaced
Unfortunately, we've had a few power failures and the requirement to enter the passphrase for LUKS at the physical terminal is an issue.
I'd be happy to keep a keyfile on a USB key or SD card as I could mount these internal to the server which is physically secured
Is there a method to ensure the USB key is mounted prior to the password prompt and adding the keyfile as an additional method at startup?
Thanks
Tim
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-10-06 18:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-04 8:37 [dm-crypt] Using a keyfile with full disk encryption Tim Kerby
2016-10-04 15:43 ` Arno Wagner
2016-10-06 18:21 ` [dm-crypt] Using a keyfile with full disk encryption (saout: to exclusive) Diagon
-- strict thread matches above, loose matches on Subject: below --
2016-10-04 8:08 [dm-crypt] Using a keyfile with full disk encryption Tim Kerby
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.