Root Encryption On A Gentoo Server With Ability To Send Password Over Network

[robinx99]

Hi,

after watching the last episode I thought maybe somone might be interesting in a sever setup with encrypted root and the ability to send the password encrypted over the network. My setup is definitiv not perfect and some tweaks are appreciated. The main idea is to start the network in an initramfs environment and have netcat waiting vor a password that is then decrypted by openssl and finaly gets passed to cryptsetup. The password should be safe over the network, but I don't think it is a perfect setup. I also have an Android app that is able to send the password, but the source code is a mess, but if there is demand I can provide the code as well.

I am sorry this will be a longer post, but maybe somone is interested in an encrypted server. The whole text assumes a gentoo setup, but I think it can be adapted to other distros. This will assume a 64bit amd64 setup but it should also be usable on i386 then you need to fetch different files and your kernel is located in a different directory)

The setup is Highly based on the Gentoo handbook and this wiki entry http://en.gentoo-wiki.com/wiki/Root_filesystem_over_LVM2,_DM-Crypt_and_RAID it also requires another computer with linux (openssl + netcat) and a boot medium I prefere the SystemrescueCD http://www.sysresccd.org/SystemRescueCd_Homepage

This should be a complete step by step Manual (hope I did not forget anything)

Preparation

On oure client we need to do the following

mkdir sslpassword

cd sslpassword

openssl genrsa -out private.pem 4048

openssl rsa -in private.pem -out public.pem -outform PEM -pubout

and create a file with the following content 'nano -w passwordsend' (IP adress is the IP adress of your future encrypted server, so change it to your needs)

_{nc 192.168.0.100 1234 | openssl rsautl -decrypt -inkey client.pem > tempbub.pem}

_{echo Enter password:}

_{read -s pass}

_{echo $pass | openssl rsautl -encrypt -inkey tempbub.pem -pubin |nc 192.168.0.100 1234 -q 1}

_pass=""

_{rm tempbub.pem}

make the file executable 'chmod +x passwordsend'

You can copy the public.pem to a USB drive or we send it later to the server with netcat (also it might be useful to create some of the later files on a computer with more then the console, as we will only have the consol during a gentoo setup)

So lets boot oure new server from CD (choose 64bit kernel or else we get in trouble when chrooting)

I will asume only a single hard drive but it can be easily adapted with software raid as shown in the link above.

Harddisk

So lets create to partitions 'fdisk /dev/sda (1 boot I suggest 100M and one with the rest)

mkfs.ext2 /dev/sda1

cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda2

cryptsetup luksOpen /dev/sda2 servercrypt

pvcreate /dev/mapper/servercrypt

vgcreate servercryptlvm /dev/mapper/servercrypt

lvcreate -L1G -nswap servercryptlvm (1G for swap change the number for Different sizes)

lvcreate --l100%FREE -n -nroot servercryptlvm

mkswap /dev/mapper/servercryptlvm-swap

mkfs.ext4 /dev/mapper/servercryptlvm-root

mount /dev/servercryptlvm-root /mnt/gentoo

mkdir /mnt/gentoo/boot

mount /dev/sda1 /mnt/gentoo/boot

Install Portage

cd /mnt/gentoo/

wget "ftp://distfiles.gentoo.org/pub/gentoo/releases/amd64/current-stage3/stage3*.bz2"

wget "ftp://distfiles.gentoo.org/pub/gentoo/releases/snapshots/current/portage-latest.tar.bz2"

tar xjpf stage3*

tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr

nano -w /mng/gentoo/etc/make.conf

change cflags line to

_{CFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"}

add line (Number equals number of cores+1)

_{MAKEOPTS="−j2"}

close and write file

Insalling the base system

mirrorselect -i -o » /mnt/gentoo/etc/make.conf

mirrorselect -i -r -o » /mnt/gentoo/etc/make.conf

cp -L /etc/resolv.conf /mnt/gentoo/etc/

mount -t proc none /mnt/gentoo/proc

mount --rbind /dev /mnt/gentoo/dev

chroot /mnt/gentoo /bin/bash

env-update

source /etc/profile

export PS1="(chroot) $PS1"

emerge --sync

eselect profile list (choose one with 'eselect set number' but the default one should do)

nano -w /etc/locale.gen (uncomment the ones needed)

locale-gen

Kernel Setup

ls /usr/share/zoneinfo (find your Timezone)

cp /usr/share/zoneinfo/GMT /etc/localtime (if your Timezone is GMT)

emerge gentoo-sources

cd /usr/src/linux

make menuconfig

Setup your kernel we need some things: ext2 (for boot), ext4 (for root), Device mapper support, Crypt target suport, The Cryptographic and hash algorithm used (aes should be enabled by default, sha256 must be enabled by hand), Your networkcard

make

make modules_install

cp arch/x86_64/boot/bzImage /boot/kernel

System Config

nano -w /etc/fstab

_{/dev/sda1 /boot ext2 defaults,noatime 1 2}

_{/dev/mapper/servercryptlvm-swap none swap sw 0 0}

_{/dev/mapper/servercryptlvm-root / ext4 noatime 0 1}

nano -w /etc/conf.d/hostname (set your hostname)

nano -w /etc/conf.d/net (config your network use your ip adress)

_{config_eth0="192.168.0.100 netmask 255.255.255.0 brd 192.168.0.255"}

cd /etc/init.d

ln -s net.lo net.eth0

rc-update add net.eth0 default

passwd (set your root password)

nano -w /etc/rc.conf (configuration)

nano -w /etc/conf.d/keymaps (keyboard layout)

nano -w /etc/conf.d/hwclock (clock)

Basetools

emerge syslog-ng

rc-update add syslog-ng default

emerge vixie-cron

rc-update add vixie-cron default

(optional) emerge dhcpcd (if you want a dhcp client, but since it will be a server I think it is not required)

Tools needed for encryption

nano -w /etc/portage/package.use

_{sys-fs/lvm2 static}

_{sys-apps/busybox static}

_{net-analyzer/netcat static -crypt}

emerge lvm2 busybox netcat

emerge cryptsetup

Now we come to openssl which is a little bit tricky since gentoo does not have a

static linked version so we do the following

_{emerge -vf openssl}

_{mkdir /tmp/opensslstatic}

_{cd /tmp/opensslstatic}

_{cat /usr/portage/distfiles/openssl*.tar.gz |gzip -d |tar xv}

_{cd open*}

_{./config -static}

_make

_{cd apps}

_{cp openssl /tmp}

Initramfs

cd /usr/src

mkdir initram

cd initram

mkdir bin dev dev/mapper etc newroot proc sys

cp /bin/busybox /sbin/cryptsetup /sbin/lvm.static /tmp/openssl /usr/bin/nc bin

mv bin/lvm.static bin/lvm

ln -s busybox bin/cat

ln -s busybox bin/mount

ln -s busybox bin/sh

ln -s busybox bin/switch_root

ln -s busybox bin/umount

ln -s busybox bin/sleep

ln -s busybox bin/mdev

ln -s lvm bin/vgscan

ln -s lvm bin/vgchange

(Optional Non US Keyboard Layout) busybox dumpkmap > etc/kmap-de && ln -s busybox bin/loadkmap

Copy your Public Key to the Server (use USB Stick or netcat), for example do on the Server: "nc -vlp 1234 > public.pem" and on the Client: "cat public.pem | nc -q 1 SERVERIP 1234"

nano -w init.remote

_#!/bin/sh

_{mount -t proc none /proc}

_{CMDLINE=`cat /proc/cmdline`}

_{mount -t sysfs none /sys}

_{echo /sbin/mdev > /proc/sys/kernel/hotplug}

_{mdev -s}

_{sleep 3}

_{ifconfig eth0 192.168.0.100}

_{while ( if [ -b /dev/mapper/servercrypt ]; then false; else true; fi ) ;}

_do

_{openssl genrsa -out temp.pem 1024}

_{openssl rsa -in temp.pem -out pubtemp.pem -outform PEM -pubout}

_{echo awaiting remote password}

_{cat pubtemp.pem |openssl rsautl -encrypt -inkey public.pem -pubin | /bin/nc -lp 1234 -q 1}

_{/bin/nc -lp 1234 | openssl rsautl -decrypt -inkey temp.pem > pass}

_{cat pass | cryptsetup luksOpen /dev/sda2 servercrypt}

_{rm temp.pem}

_{rm pubtemp.pem}

_{rm pass}

_done

_{ifconfig eth0 0.0.0.0}

_{ifconfig eth0 down}

_/bin/vgscan

_{/bin/vgchange -ay servercryptlvm}

_{mount -r /dev/mapper/servercryptlvm-root /newroot}

_{umount /sys}

_{umount /proc}

_{exec /bin/busybox switch_root /newroot /sbin/init ${CMDLINE}}

nano -w init.local

_#!/bin/sh

_{mount -t proc none /proc}

_{CMDLINE=`cat /proc/cmdline`}

_{mount -t sysfs none /sys}

_{echo /sbin/mdev > /proc/sys/kernel/hotplug}

_{mdev -s}

_{sleep 3}

_{#uncomment if you have a non us keyboard layout}

_{#loadkmap < /etc/kmap-de}

_{while ( if [ -b /dev/mapper/servercrypt ]; then false; else true; fi ) ;}

_do

_{echo enter password}

_{read -s pass}

_{echo $pass | cryptsetup luksOpen /dev/sda2 servercrypt}

_pass=""

_done

_/bin/vgscan

_{/bin/vgchange -ay servercryptlvm}

_{mount -r /dev/mapper/servercryptlvm-root /newroot}

_{umount /sys}

_{umount /proc}

_{exec /bin/busybox switch_root /newroot /sbin/init ${CMDLINE}}

chmod u+x init.local init.remote

nano -w initgenerate

_{cp init.local init}

_{find . | cpio --quiet -o -H newc | gzip -9 > /boot/initramfs.local}

_{cp init.remote init}

_{find . | cpio --quiet -o -H newc | gzip -9 > /boot/initramfs.remote}

_{rm init}

chmod +x initgenerate

emerge -v cpio (if it is missing)

./initgenerate

Grub

emerge grub

_{nano -w /boot/grub/grub.conf}

_{default 0}

_{timeout 20}

_{title=linux remote password}

_{root (hd0,0)}

_{kernel /boot/kernel}

_{initrd /boot/initramfs.remote}

_{title=linux local password}

_{root (hd0,0)}

_{kernel /boot/kernel}

_{initrd /boot/initramfs.local}

grub

_{device (hd0) /dev/sda}

_{root (hd0,0)}

_{setup (hd0)}

_quit

exit

reboot

Cross fingers ;) When all is done right you can send your password via the remote passwordsender. I hope I have done no mistakes coping the info from my personal dokumentation. Now you can start installing everything your server needs. Most likely you need openssh server so that you can connect to your server ("emerge -v openssh && rc-update add sshd default")