07 June, 2009

Crypted disks with remote key placed on http server

This page contains few information how to create crypted disk using dm_crypt, lvm, gpg with remote key stored on http server.
The advantage is to have key, used for unlocking crypted disk(s), somewhere on the server instead have it on USB.

* You can easily delete this key if your disks are stolen and nobody can access them any longer...
* If you use USB stick to save key then you need to have it connected to the machine with the cyphered disks every reboot - usually it will be plugged all the time to the server which destroy all security.
* Keys are downloaded automatically every reboot from remote HTTP server (if not your disks will remain locked).

All commands were tested on Debian and should be also applicable on other distributions.

Remote server side

Generate a new key pair:
gpg --gen-key

List the keys and write down the secret key ID (9BB7698A):
gpg --list-keys

pub   1024D/9BB7698A 2009-06-07
uid                  test_name (test_comment) test@xvx.cz
sub   2048g/A0DA1037 2009-06-07

Export private key and save it somewhere "public" temporary...
gpg --verbose --export-options export-attributes,export-sensitive-revkeys --export-secret-keys 9BB7698A > ~/public_html/secret.key

Generate random key and encrypt it by previously generated private key. That will be the key used for dm-crypt:
head -c 256 /dev/urandom | gpg --batch --passphrase test --verbose --throw-keyids --local-user 9BB7698A --sign --yes --cipher-algo AES256 --encrypt --hidden-recipient 9BB7698A --no-encrypt-to$

Client side (where the data will be crypted)

Login to the machine where you want to crypt your data.

Create lvm volume:
lvremove -f lvdata
vgremove -f vgdata
pvcreate -ff -v /dev/hda2 /dev/hdb1
vgcreate -v -s 16 vgdata /dev/hda2 /dev/hdb1
lvcreate -v -l 100%FREE vgdata -n lvdata

Import secret private key from the http server (don't forget to remove secret.key from the server after this) and then download and decrypt the cipher key for dm-crypt [/mykey]:
gpg --yes --delete-secret-keys 9BB7698A
gpg --yes --batch --delete-keys 9BB7698A
wget -O - | gpg --import -
wget -O - | gpg --quiet --passphrase test --batch --decrypt > /mykey

Encrypt the lvm [vgdata-lvdata] using [/mykey]:
cryptsetup -s 512 -c aes-xts-plain luksFormat /dev/mapper/vgdata-lvdata /mykey

Add the dm-crypt key [/mykey] to the "LUKS"
cryptsetup --key-file=/mykey luksOpen /dev/mapper/vgdata-lvdata vgdata-lvdata_crypt

Format opened LUKS and copy there some data:
mkfs.ext3 /dev/mapper/vgdata-lvdata_crypt
mount /dev/mapper/vgdata-lvdata_crypt /mnt
cp /etc/* /mnt/
umount /mnt
cryptsetup luksClose vgdata-lvdata_crypt
rm /mykey

Now we have to create a short script [/script] which will download the key from remote server and decrypt it using imported secret key by GPG and display it on the screen:
/usr/bin/wget --quiet -O - | /usr/bin/gpg --quiet --homedir /root/.gnupg --quiet --passphrase xxxx --batch --decrypt 2>/dev/null

We should not forget to mount our crypted filesystem after boot [/etc/rc.local]:
echo "Mounting crypted file system in 5 seconds..."
sleep 5
cryptdisks_start vgdata-lvdata_crypt
mount /mnt

Another necessary thing needs to be done - putting the right information to [/etc/crypttab]:
vgdata-lvdata_crypt     /dev/mapper/vgdata-lvdata       none noauto,cipher=aes-xts-plain,size=512,luks,tries=1,checkargs=ext2,keyscript=/script

We don't want to mount crypted filesystem with others, because the network is not ready that time [/etc/fstab]:
/dev/mapper/vgdata-lvdata_crypt /mnt    ext3    noauto,rw,exec,async,noatime,nocheck,data=writeback    0       0

This is definitively not the best how to secure your data, but it's better than nothing.

Feel free to combine this method with keys stored on on USB drive.


  1. You didn't mention where acbd.html is created. The first time is mentioned is in the wget. I think its the bit where you wrote create random key based on private key?

  2. This comment has been removed by a blog administrator.