The advantage is to have key, used for unlocking crypted disk(s), somewhere on the server instead have it on USB.
* You can easily delete this key if your disks are stolen and nobody can access them any longer...
* If you use USB stick to save key then you need to have it connected to the machine with the cyphered disks every reboot - usually it will be plugged all the time to the server which destroy all security.
* Keys are downloaded automatically every reboot from remote HTTP server (if not your disks will remain locked).
All commands were tested on Debian and should be also applicable on other distributions.
Remote server side
Generate a new key pair:gpg --gen-key
List the keys and write down the secret key ID (9BB7698A):
gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/9BB7698A 2009-06-07
uid test_name (test_comment) test@xvx.cz
sub 2048g/A0DA1037 2009-06-07
Export private key and save it somewhere "public" temporary...
gpg --verbose --export-options export-attributes,export-sensitive-revkeys --export-secret-keys 9BB7698A > ~/public_html/secret.key
Generate random key and encrypt it by previously generated private key. That will be the key used for dm-crypt:
head -c 256 /dev/urandom | gpg --batch --passphrase test --verbose --throw-keyids --local-user 9BB7698A --sign --yes --cipher-algo AES256 --encrypt --hidden-recipient 9BB7698A --no-encrypt-to$
Client side (where the data will be crypted)
Login to the machine where you want to crypt your data.Create lvm volume:
lvremove -f lvdata
vgremove -f vgdata
pvcreate -ff -v /dev/hda2 /dev/hdb1
vgcreate -v -s 16 vgdata /dev/hda2 /dev/hdb1
lvcreate -v -l 100%FREE vgdata -n lvdata
Import secret private key from the http server (don't forget to remove secret.key from the server after this) and then download and decrypt the cipher key for dm-crypt [/mykey]:
gpg --yes --delete-secret-keys 9BB7698A
gpg --yes --batch --delete-keys 9BB7698A
wget https://10.0.2.2/~ruzickap/secret.key -O - | gpg --import -
wget https://10.0.2.2/~ruzickap/abcd.html -O - | gpg --quiet --passphrase test --batch --decrypt > /mykey
Encrypt the lvm [vgdata-lvdata] using [/mykey]:
cryptsetup -s 512 -c aes-xts-plain luksFormat /dev/mapper/vgdata-lvdata /mykey
Add the dm-crypt key [/mykey] to the "LUKS"
cryptsetup --key-file=/mykey luksOpen /dev/mapper/vgdata-lvdata vgdata-lvdata_crypt
Format opened LUKS and copy there some data:
mkfs.ext3 /dev/mapper/vgdata-lvdata_crypt
mount /dev/mapper/vgdata-lvdata_crypt /mnt
cp /etc/* /mnt/
umount /mnt
cryptsetup luksClose vgdata-lvdata_crypt
rm /mykey
Now we have to create a short script [/script] which will download the key from remote server and decrypt it using imported secret key by GPG and display it on the screen:
#!/bin/bash
/usr/bin/wget --quiet https://10.0.2.2/~ruzickap/abcd.html -O - | /usr/bin/gpg --quiet --homedir /root/.gnupg --quiet --passphrase xxxx --batch --decrypt 2>/dev/null
We should not forget to mount our crypted filesystem after boot [/etc/rc.local]:
echo "Mounting crypted file system in 5 seconds..."
sleep 5
cryptdisks_start vgdata-lvdata_crypt
mount /mnt
Another necessary thing needs to be done - putting the right information to [/etc/crypttab]:
vgdata-lvdata_crypt /dev/mapper/vgdata-lvdata none noauto,cipher=aes-xts-plain,size=512,luks,tries=1,checkargs=ext2,keyscript=/script
We don't want to mount crypted filesystem with others, because the network is not ready that time [/etc/fstab]:
/dev/mapper/vgdata-lvdata_crypt /mnt ext3 noauto,rw,exec,async,noatime,nocheck,data=writeback 0 0
This is definitively not the best how to secure your data, but it's better than nothing.
Feel free to combine this method with keys stored on on USB drive.
You didn't mention where acbd.html is created. The first time is mentioned is in the wget. I think its the bit where you wrote create random key based on private key?
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete