Jump to content

robinx99

Members
 View Profile  See their activity

  • Posts

    1

  • Joined

  • Last visited

 Content Type 

Everything posted by robinx99

  1. robinx99
    Hi, after watching the last episode I thought maybe somone might be interesting in a sever setup with encrypted root and the ability to send the password encrypted over the network. My setup is definitiv not perfect and some tweaks are appreciated. The main idea is to start the network in an initramfs environment and have netcat waiting vor a password that is then decrypted by openssl and finaly gets passed to cryptsetup. The password should be safe over the network, but I don't think it is a perfect setup. I also have an Android app that is able to send the password, but the source code is a mess, but if there is demand I can provide the code as well. I am sorry this will be a longer post, but maybe somone is interested in an encrypted server. The whole text assumes a gentoo setup, but I think it can be adapted to other distros. This will assume a 64bit amd64 setup but it should also be usable on i386 then you need to fetch different files and your kernel is located in a different directory) The setup is Highly based on the Gentoo handbook and this wiki entry http://en.gentoo-wiki.com/wiki/Root_filesystem_over_LVM2,_DM-Crypt_and_RAID it also requires another computer with linux (openssl + netcat) and a boot medium I prefere the SystemrescueCD http://www.sysresccd.org/SystemRescueCd_Homepage This should be a complete step by step Manual (hope I did not forget anything) Preparation On oure client we need to do the following mkdir sslpassword cd sslpassword openssl genrsa -out private.pem 4048 openssl rsa -in private.pem -out public.pem -outform PEM -pubout and create a file with the following content 'nano -w passwordsend' (IP adress is the IP adress of your future encrypted server, so change it to your needs) nc 192.168.0.100 1234 | openssl rsautl -decrypt -inkey client.pem > tempbub.pem echo Enter password: read -s pass echo $pass | openssl rsautl -encrypt -inkey tempbub.pem -pubin |nc 192.168.0.100 1234 -q 1 pass="" rm tempbub.pem make the file executable 'chmod +x passwordsend' You can copy the public.pem to a USB drive or we send it later to the server with netcat (also it might be useful to create some of the later files on a computer with more then the console, as we will only have the consol during a gentoo setup) So lets boot oure new server from CD (choose 64bit kernel or else we get in trouble when chrooting) I will asume only a single hard drive but it can be easily adapted with software raid as shown in the link above. Harddisk So lets create to partitions 'fdisk /dev/sda (1 boot I suggest 100M and one with the rest) mkfs.ext2 /dev/sda1 cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda2 cryptsetup luksOpen /dev/sda2 servercrypt pvcreate /dev/mapper/servercrypt vgcreate servercryptlvm /dev/mapper/servercrypt lvcreate -L1G -nswap servercryptlvm (1G for swap change the number for Different sizes) lvcreate --l100%FREE -n -nroot servercryptlvm mkswap /dev/mapper/servercryptlvm-swap mkfs.ext4 /dev/mapper/servercryptlvm-root mount /dev/servercryptlvm-root /mnt/gentoo mkdir /mnt/gentoo/boot mount /dev/sda1 /mnt/gentoo/boot Install Portage cd /mnt/gentoo/ wget "ftp://distfiles.gentoo.org/pub/gentoo/releases/amd64/current-stage3/stage3*.bz2" wget "ftp://distfiles.gentoo.org/pub/gentoo/releases/snapshots/current/portage-latest.tar.bz2" tar xjpf stage3* tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr nano -w /mng/gentoo/etc/make.conf change cflags line to CFLAGS="-march=native -O2 -pipe -fomit-frame-pointer" add line (Number equals number of cores+1) MAKEOPTS="−j2" close and write file Insalling the base system mirrorselect -i -o » /mnt/gentoo/etc/make.conf mirrorselect -i -r -o » /mnt/gentoo/etc/make.conf cp -L /etc/resolv.conf /mnt/gentoo/etc/ mount -t proc none /mnt/gentoo/proc mount --rbind /dev /mnt/gentoo/dev chroot /mnt/gentoo /bin/bash env-update source /etc/profile export PS1="(chroot) $PS1" emerge --sync eselect profile list (choose one with 'eselect set number' but the default one should do) nano -w /etc/locale.gen (uncomment the ones needed) locale-gen Kernel Setup ls /usr/share/zoneinfo (find your Timezone) cp /usr/share/zoneinfo/GMT /etc/localtime (if your Timezone is GMT) emerge gentoo-sources cd /usr/src/linux make menuconfig Setup your kernel we need some things: ext2 (for boot), ext4 (for root), Device mapper support, Crypt target suport, The Cryptographic and hash algorithm used (aes should be enabled by default, sha256 must be enabled by hand), Your networkcard make make modules_install cp arch/x86_64/boot/bzImage /boot/kernel System Config nano -w /etc/fstab /dev/sda1 /boot ext2 defaults,noatime 1 2 /dev/mapper/servercryptlvm-swap none swap sw 0 0 /dev/mapper/servercryptlvm-root / ext4 noatime 0 1 nano -w /etc/conf.d/hostname (set your hostname) nano -w /etc/conf.d/net (config your network use your ip adress) config_eth0="192.168.0.100 netmask 255.255.255.0 brd 192.168.0.255" cd /etc/init.d ln -s net.lo net.eth0 rc-update add net.eth0 default passwd (set your root password) nano -w /etc/rc.conf (configuration) nano -w /etc/conf.d/keymaps (keyboard layout) nano -w /etc/conf.d/hwclock (clock) Basetools emerge syslog-ng rc-update add syslog-ng default emerge vixie-cron rc-update add vixie-cron default (optional) emerge dhcpcd (if you want a dhcp client, but since it will be a server I think it is not required) Tools needed for encryption nano -w /etc/portage/package.use sys-fs/lvm2 static sys-apps/busybox static net-analyzer/netcat static -crypt emerge lvm2 busybox netcat emerge cryptsetup Now we come to openssl which is a little bit tricky since gentoo does not have a static linked version so we do the following emerge -vf openssl mkdir /tmp/opensslstatic cd /tmp/opensslstatic cat /usr/portage/distfiles/openssl*.tar.gz |gzip -d |tar xv cd open* ./config -static make cd apps cp openssl /tmp Initramfs cd /usr/src mkdir initram cd initram mkdir bin dev dev/mapper etc newroot proc sys cp /bin/busybox /sbin/cryptsetup /sbin/lvm.static /tmp/openssl /usr/bin/nc bin mv bin/lvm.static bin/lvm ln -s busybox bin/cat ln -s busybox bin/mount ln -s busybox bin/sh ln -s busybox bin/switch_root ln -s busybox bin/umount ln -s busybox bin/sleep ln -s busybox bin/mdev ln -s lvm bin/vgscan ln -s lvm bin/vgchange (Optional Non US Keyboard Layout) busybox dumpkmap > etc/kmap-de && ln -s busybox bin/loadkmap Copy your Public Key to the Server (use USB Stick or netcat), for example do on the Server: "nc -vlp 1234 > public.pem" and on the Client: "cat public.pem | nc -q 1 SERVERIP 1234" nano -w init.remote #!/bin/sh mount -t proc none /proc CMDLINE=`cat /proc/cmdline` mount -t sysfs none /sys echo /sbin/mdev > /proc/sys/kernel/hotplug mdev -s sleep 3 ifconfig eth0 192.168.0.100 while ( if [ -b /dev/mapper/servercrypt ]; then false; else true; fi ) ; do openssl genrsa -out temp.pem 1024 openssl rsa -in temp.pem -out pubtemp.pem -outform PEM -pubout echo awaiting remote password cat pubtemp.pem |openssl rsautl -encrypt -inkey public.pem -pubin | /bin/nc -lp 1234 -q 1 /bin/nc -lp 1234 | openssl rsautl -decrypt -inkey temp.pem > pass cat pass | cryptsetup luksOpen /dev/sda2 servercrypt rm temp.pem rm pubtemp.pem rm pass done ifconfig eth0 0.0.0.0 ifconfig eth0 down /bin/vgscan /bin/vgchange -ay servercryptlvm mount -r /dev/mapper/servercryptlvm-root /newroot umount /sys umount /proc exec /bin/busybox switch_root /newroot /sbin/init ${CMDLINE} nano -w init.local #!/bin/sh mount -t proc none /proc CMDLINE=`cat /proc/cmdline` mount -t sysfs none /sys echo /sbin/mdev > /proc/sys/kernel/hotplug mdev -s sleep 3 #uncomment if you have a non us keyboard layout #loadkmap < /etc/kmap-de while ( if [ -b /dev/mapper/servercrypt ]; then false; else true; fi ) ; do echo enter password read -s pass echo $pass | cryptsetup luksOpen /dev/sda2 servercrypt pass="" done /bin/vgscan /bin/vgchange -ay servercryptlvm mount -r /dev/mapper/servercryptlvm-root /newroot umount /sys umount /proc exec /bin/busybox switch_root /newroot /sbin/init ${CMDLINE} chmod u+x init.local init.remote nano -w initgenerate cp init.local init find . | cpio --quiet -o -H newc | gzip -9 > /boot/initramfs.local cp init.remote init find . | cpio --quiet -o -H newc | gzip -9 > /boot/initramfs.remote rm init chmod +x initgenerate emerge -v cpio (if it is missing) ./initgenerate Grub emerge grub nano -w /boot/grub/grub.conf default 0 timeout 20 title=linux remote password root (hd0,0) kernel /boot/kernel initrd /boot/initramfs.remote title=linux local password root (hd0,0) kernel /boot/kernel initrd /boot/initramfs.local grub device (hd0) /dev/sda root (hd0,0) setup (hd0) quit exit reboot Cross fingers ;) When all is done right you can send your password via the remote passwordsender. I hope I have done no mistakes coping the info from my personal dokumentation. Now you can start installing everything your server needs. Most likely you need openssh server so that you can connect to your server ("emerge -v openssh && rc-update add sshd default")
×
×
  • Create New...