after watching the last episode I thought maybe somone might be interesting in a sever setup with encrypted root and the ability to send the password encrypted over the network. My setup is definitiv not perfect and some tweaks are appreciated. The main idea is to start the network in an initramfs environment and have netcat waiting vor a password that is then decrypted by openssl and finaly gets passed to cryptsetup. The password should be safe over the network, but I don't think it is a perfect setup. I also have an Android app that is able to send the password, but the source code is a mess, but if there is demand I can provide the code as well.
I am sorry this will be a longer post, but maybe somone is interested in an encrypted server. The whole text assumes a gentoo setup, but I think it can be adapted to other distros. This will assume a 64bit amd64 setup but it should also be usable on i386 then you need to fetch different files and your kernel is located in a different directory)
and create a file with the following content 'nano -w passwordsend' (IP adress is the IP adress of your future encrypted server, so change it to your needs)
You can copy the public.pem to a USB drive or we send it later to the server with netcat (also it might be useful to create some of the later files on a computer with more then the console, as we will only have the consol during a gentoo setup)
So lets boot oure new server from CD (choose 64bit kernel or else we get in trouble when chrooting)
I will asume only a single hard drive but it can be easily adapted with software raid as shown in the link above.
Harddisk
So lets create to partitions 'fdisk /dev/sda (1 boot I suggest 100M and one with the rest)
eselect profile list (choose one with 'eselect set number' but the default one should do)
nano -w /etc/locale.gen (uncomment the ones needed)
locale-gen
Kernel Setup
ls /usr/share/zoneinfo (find your Timezone)
cp /usr/share/zoneinfo/GMT /etc/localtime (if your Timezone is GMT)
emerge gentoo-sources
cd /usr/src/linux
make menuconfig
Setup your kernel we need some things: ext2 (for boot), ext4 (for root), Device mapper support, Crypt target suport, The Cryptographic and hash algorithm used (aes should be enabled by default, sha256 must be enabled by hand), Your networkcard
(optional) emerge dhcpcd (if you want a dhcp client, but since it will be a server I think it is not required)
Tools needed for encryption
nano -w /etc/portage/package.use
sys-fs/lvm2 static
sys-apps/busybox static
net-analyzer/netcat static -crypt
emerge lvm2 busybox netcat
emerge cryptsetup
Now we come to openssl which is a little bit tricky since gentoo does not have a
static linked version so we do the following
emerge -vf openssl
mkdir /tmp/opensslstatic
cd /tmp/opensslstatic
cat /usr/portage/distfiles/openssl*.tar.gz |gzip -d |tar xv
cd open*
./config -static
make
cd apps
cp openssl /tmp
Initramfs
cd /usr/src
mkdir initram
cd initram
mkdir bin dev dev/mapper etc newroot proc sys
cp /bin/busybox /sbin/cryptsetup /sbin/lvm.static /tmp/openssl /usr/bin/nc bin
mv bin/lvm.static bin/lvm
ln -s busybox bin/cat
ln -s busybox bin/mount
ln -s busybox bin/sh
ln -s busybox bin/switch_root
ln -s busybox bin/umount
ln -s busybox bin/sleep
ln -s busybox bin/mdev
ln -s lvm bin/vgscan
ln -s lvm bin/vgchange
(Optional Non US Keyboard Layout) busybox dumpkmap > etc/kmap-de && ln -s busybox bin/loadkmap
Copy your Public Key to the Server (use USB Stick or netcat), for example do on the Server: "nc -vlp 1234 > public.pem" and on the Client: "cat public.pem | nc -q 1 SERVERIP 1234"
nano -w init.remote
#!/bin/sh
mount -t proc none /proc
CMDLINE=`cat /proc/cmdline`
mount -t sysfs none /sys
echo /sbin/mdev > /proc/sys/kernel/hotplug
mdev -s
sleep 3
ifconfig eth0 192.168.0.100
while ( if [ -b /dev/mapper/servercrypt ]; then false; else true; fi ) ;
Cross fingers ;) When all is done right you can send your password via the remote passwordsender. I hope I have done no mistakes coping the info from my personal dokumentation. Now you can start installing everything your server needs. Most likely you need openssh server so that you can connect to your server ("emerge -v openssh && rc-update add sshd default")
Root Encryption On A Gentoo Server With Ability To Send Password Over Network
in Community Projects
Posted
Hi,
after watching the last episode I thought maybe somone might be interesting in a sever setup with encrypted root and the ability to send the password encrypted over the network. My setup is definitiv not perfect and some tweaks are appreciated. The main idea is to start the network in an initramfs environment and have netcat waiting vor a password that is then decrypted by openssl and finaly gets passed to cryptsetup. The password should be safe over the network, but I don't think it is a perfect setup. I also have an Android app that is able to send the password, but the source code is a mess, but if there is demand I can provide the code as well.
I am sorry this will be a longer post, but maybe somone is interested in an encrypted server. The whole text assumes a gentoo setup, but I think it can be adapted to other distros. This will assume a 64bit amd64 setup but it should also be usable on i386 then you need to fetch different files and your kernel is located in a different directory)
The setup is Highly based on the Gentoo handbook and this wiki entry http://en.gentoo-wiki.com/wiki/Root_filesystem_over_LVM2,_DM-Crypt_and_RAID it also requires another computer with linux (openssl + netcat) and a boot medium I prefere the SystemrescueCD http://www.sysresccd.org/SystemRescueCd_Homepage
This should be a complete step by step Manual (hope I did not forget anything)
Preparation
On oure client we need to do the following
mkdir sslpassword
cd sslpassword
openssl genrsa -out private.pem 4048
openssl rsa -in private.pem -out public.pem -outform PEM -pubout
and create a file with the following content 'nano -w passwordsend' (IP adress is the IP adress of your future encrypted server, so change it to your needs)
nc 192.168.0.100 1234 | openssl rsautl -decrypt -inkey client.pem > tempbub.pem
echo Enter password:
read -s pass
echo $pass | openssl rsautl -encrypt -inkey tempbub.pem -pubin |nc 192.168.0.100 1234 -q 1
pass=""
rm tempbub.pem
make the file executable 'chmod +x passwordsend'
You can copy the public.pem to a USB drive or we send it later to the server with netcat (also it might be useful to create some of the later files on a computer with more then the console, as we will only have the consol during a gentoo setup)
So lets boot oure new server from CD (choose 64bit kernel or else we get in trouble when chrooting)
I will asume only a single hard drive but it can be easily adapted with software raid as shown in the link above.
Harddisk
So lets create to partitions 'fdisk /dev/sda (1 boot I suggest 100M and one with the rest)
mkfs.ext2 /dev/sda1
cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 servercrypt
pvcreate /dev/mapper/servercrypt
vgcreate servercryptlvm /dev/mapper/servercrypt
lvcreate -L1G -nswap servercryptlvm (1G for swap change the number for Different sizes)
lvcreate --l100%FREE -n -nroot servercryptlvm
mkswap /dev/mapper/servercryptlvm-swap
mkfs.ext4 /dev/mapper/servercryptlvm-root
mount /dev/servercryptlvm-root /mnt/gentoo
mkdir /mnt/gentoo/boot
mount /dev/sda1 /mnt/gentoo/boot
Install Portage
cd /mnt/gentoo/
wget "ftp://distfiles.gentoo.org/pub/gentoo/releases/amd64/current-stage3/stage3*.bz2"
wget "ftp://distfiles.gentoo.org/pub/gentoo/releases/snapshots/current/portage-latest.tar.bz2"
tar xjpf stage3*
tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr
nano -w /mng/gentoo/etc/make.conf
change cflags line to
CFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
add line (Number equals number of cores+1)
MAKEOPTS="−j2"
close and write file
Insalling the base system
mirrorselect -i -o » /mnt/gentoo/etc/make.conf
mirrorselect -i -r -o » /mnt/gentoo/etc/make.conf
cp -L /etc/resolv.conf /mnt/gentoo/etc/
mount -t proc none /mnt/gentoo/proc
mount --rbind /dev /mnt/gentoo/dev
chroot /mnt/gentoo /bin/bash
env-update
source /etc/profile
export PS1="(chroot) $PS1"
emerge --sync
eselect profile list (choose one with 'eselect set number' but the default one should do)
nano -w /etc/locale.gen (uncomment the ones needed)
locale-gen
Kernel Setup
ls /usr/share/zoneinfo (find your Timezone)
cp /usr/share/zoneinfo/GMT /etc/localtime (if your Timezone is GMT)
emerge gentoo-sources
cd /usr/src/linux
make menuconfig
Setup your kernel we need some things: ext2 (for boot), ext4 (for root), Device mapper support, Crypt target suport, The Cryptographic and hash algorithm used (aes should be enabled by default, sha256 must be enabled by hand), Your networkcard
make
make modules_install
cp arch/x86_64/boot/bzImage /boot/kernel
System Config
nano -w /etc/fstab
/dev/sda1 /boot ext2 defaults,noatime 1 2
/dev/mapper/servercryptlvm-swap none swap sw 0 0
/dev/mapper/servercryptlvm-root / ext4 noatime 0 1
nano -w /etc/conf.d/hostname (set your hostname)
nano -w /etc/conf.d/net (config your network use your ip adress)
config_eth0="192.168.0.100 netmask 255.255.255.0 brd 192.168.0.255"
cd /etc/init.d
ln -s net.lo net.eth0
rc-update add net.eth0 default
passwd (set your root password)
nano -w /etc/rc.conf (configuration)
nano -w /etc/conf.d/keymaps (keyboard layout)
nano -w /etc/conf.d/hwclock (clock)
Basetools
emerge syslog-ng
rc-update add syslog-ng default
emerge vixie-cron
rc-update add vixie-cron default
(optional) emerge dhcpcd (if you want a dhcp client, but since it will be a server I think it is not required)
Tools needed for encryption
nano -w /etc/portage/package.use
sys-fs/lvm2 static
sys-apps/busybox static
net-analyzer/netcat static -crypt
emerge lvm2 busybox netcat
emerge cryptsetup
Now we come to openssl which is a little bit tricky since gentoo does not have a
static linked version so we do the following
emerge -vf openssl
mkdir /tmp/opensslstatic
cd /tmp/opensslstatic
cat /usr/portage/distfiles/openssl*.tar.gz |gzip -d |tar xv
cd open*
./config -static
make
cd apps
cp openssl /tmp
Initramfs
cd /usr/src
mkdir initram
cd initram
mkdir bin dev dev/mapper etc newroot proc sys
cp /bin/busybox /sbin/cryptsetup /sbin/lvm.static /tmp/openssl /usr/bin/nc bin
mv bin/lvm.static bin/lvm
ln -s busybox bin/cat
ln -s busybox bin/mount
ln -s busybox bin/sh
ln -s busybox bin/switch_root
ln -s busybox bin/umount
ln -s busybox bin/sleep
ln -s busybox bin/mdev
ln -s lvm bin/vgscan
ln -s lvm bin/vgchange
(Optional Non US Keyboard Layout) busybox dumpkmap > etc/kmap-de && ln -s busybox bin/loadkmap
Copy your Public Key to the Server (use USB Stick or netcat), for example do on the Server: "nc -vlp 1234 > public.pem" and on the Client: "cat public.pem | nc -q 1 SERVERIP 1234"
nano -w init.remote
#!/bin/sh
mount -t proc none /proc
CMDLINE=`cat /proc/cmdline`
mount -t sysfs none /sys
echo /sbin/mdev > /proc/sys/kernel/hotplug
mdev -s
sleep 3
ifconfig eth0 192.168.0.100
while ( if [ -b /dev/mapper/servercrypt ]; then false; else true; fi ) ;
do
openssl genrsa -out temp.pem 1024
openssl rsa -in temp.pem -out pubtemp.pem -outform PEM -pubout
echo awaiting remote password
cat pubtemp.pem |openssl rsautl -encrypt -inkey public.pem -pubin | /bin/nc -lp 1234 -q 1
/bin/nc -lp 1234 | openssl rsautl -decrypt -inkey temp.pem > pass
cat pass | cryptsetup luksOpen /dev/sda2 servercrypt
rm temp.pem
rm pubtemp.pem
rm pass
done
ifconfig eth0 0.0.0.0
ifconfig eth0 down
/bin/vgscan
/bin/vgchange -ay servercryptlvm
mount -r /dev/mapper/servercryptlvm-root /newroot
umount /sys
umount /proc
exec /bin/busybox switch_root /newroot /sbin/init ${CMDLINE}
nano -w init.local
#!/bin/sh
mount -t proc none /proc
CMDLINE=`cat /proc/cmdline`
mount -t sysfs none /sys
echo /sbin/mdev > /proc/sys/kernel/hotplug
mdev -s
sleep 3
#uncomment if you have a non us keyboard layout
#loadkmap < /etc/kmap-de
while ( if [ -b /dev/mapper/servercrypt ]; then false; else true; fi ) ;
do
echo enter password
read -s pass
echo $pass | cryptsetup luksOpen /dev/sda2 servercrypt
pass=""
done
/bin/vgscan
/bin/vgchange -ay servercryptlvm
mount -r /dev/mapper/servercryptlvm-root /newroot
umount /sys
umount /proc
exec /bin/busybox switch_root /newroot /sbin/init ${CMDLINE}
chmod u+x init.local init.remote
nano -w initgenerate
cp init.local init
find . | cpio --quiet -o -H newc | gzip -9 > /boot/initramfs.local
cp init.remote init
find . | cpio --quiet -o -H newc | gzip -9 > /boot/initramfs.remote
rm init
chmod +x initgenerate
emerge -v cpio (if it is missing)
./initgenerate
Grub
emerge grub
nano -w /boot/grub/grub.conf
default 0
timeout 20
title=linux remote password
root (hd0,0)
kernel /boot/kernel
initrd /boot/initramfs.remote
title=linux local password
root (hd0,0)
kernel /boot/kernel
initrd /boot/initramfs.local
grub
device (hd0) /dev/sda
root (hd0,0)
setup (hd0)
quit
exit
reboot
Cross fingers ;) When all is done right you can send your password via the remote passwordsender. I hope I have done no mistakes coping the info from my personal dokumentation. Now you can start installing everything your server needs. Most likely you need openssh server so that you can connect to your server ("emerge -v openssh && rc-update add sshd default")