Jump to content

Root Encryption On A Gentoo Server With Ability To Send Password Over Network


Recommended Posts


after watching the last episode I thought maybe somone might be interesting in a sever setup with encrypted root and the ability to send the password encrypted over the network. My setup is definitiv not perfect and some tweaks are appreciated. The main idea is to start the network in an initramfs environment and have netcat waiting vor a password that is then decrypted by openssl and finaly gets passed to cryptsetup. The password should be safe over the network, but I don't think it is a perfect setup. I also have an Android app that is able to send the password, but the source code is a mess, but if there is demand I can provide the code as well.

I am sorry this will be a longer post, but maybe somone is interested in an encrypted server. The whole text assumes a gentoo setup, but I think it can be adapted to other distros. This will assume a 64bit amd64 setup but it should also be usable on i386 then you need to fetch different files and your kernel is located in a different directory)

The setup is Highly based on the Gentoo handbook and this wiki entry http://en.gentoo-wiki.com/wiki/Root_filesystem_over_LVM2,_DM-Crypt_and_RAID it also requires another computer with linux (openssl + netcat) and a boot medium I prefere the SystemrescueCD http://www.sysresccd.org/SystemRescueCd_Homepage

This should be a complete step by step Manual (hope I did not forget anything)


On oure client we need to do the following

mkdir sslpassword

cd sslpassword

openssl genrsa -out private.pem 4048

openssl rsa -in private.pem -out public.pem -outform PEM -pubout

and create a file with the following content 'nano -w passwordsend' (IP adress is the IP adress of your future encrypted server, so change it to your needs)

nc 1234 | openssl rsautl -decrypt -inkey client.pem > tempbub.pem

echo Enter password:

read -s pass

echo $pass | openssl rsautl -encrypt -inkey tempbub.pem -pubin |nc 1234 -q 1


rm tempbub.pem

make the file executable 'chmod +x passwordsend'

You can copy the public.pem to a USB drive or we send it later to the server with netcat (also it might be useful to create some of the later files on a computer with more then the console, as we will only have the consol during a gentoo setup)

So lets boot oure new server from CD (choose 64bit kernel or else we get in trouble when chrooting)

I will asume only a single hard drive but it can be easily adapted with software raid as shown in the link above.


So lets create to partitions 'fdisk /dev/sda (1 boot I suggest 100M and one with the rest)

mkfs.ext2 /dev/sda1

cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda2

cryptsetup luksOpen /dev/sda2 servercrypt

pvcreate /dev/mapper/servercrypt

vgcreate servercryptlvm /dev/mapper/servercrypt

lvcreate -L1G -nswap servercryptlvm (1G for swap change the number for Different sizes)

lvcreate --l100%FREE -n -nroot servercryptlvm

mkswap /dev/mapper/servercryptlvm-swap

mkfs.ext4 /dev/mapper/servercryptlvm-root

mount /dev/servercryptlvm-root /mnt/gentoo

mkdir /mnt/gentoo/boot

mount /dev/sda1 /mnt/gentoo/boot

Install Portage

cd /mnt/gentoo/

wget "ftp://distfiles.gentoo.org/pub/gentoo/releases/amd64/current-stage3/stage3*.bz2"

wget "ftp://distfiles.gentoo.org/pub/gentoo/releases/snapshots/current/portage-latest.tar.bz2"

tar xjpf stage3*

tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr

nano -w /mng/gentoo/etc/make.conf

change cflags line to

CFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"

add line (Number equals number of cores+1)


close and write file

Insalling the base system

mirrorselect -i -o » /mnt/gentoo/etc/make.conf

mirrorselect -i -r -o » /mnt/gentoo/etc/make.conf

cp -L /etc/resolv.conf /mnt/gentoo/etc/

mount -t proc none /mnt/gentoo/proc

mount --rbind /dev /mnt/gentoo/dev

chroot /mnt/gentoo /bin/bash


source /etc/profile

export PS1="(chroot) $PS1"

emerge --sync

eselect profile list (choose one with 'eselect set number' but the default one should do)

nano -w /etc/locale.gen (uncomment the ones needed)


Kernel Setup

ls /usr/share/zoneinfo (find your Timezone)

cp /usr/share/zoneinfo/GMT /etc/localtime (if your Timezone is GMT)

emerge gentoo-sources

cd /usr/src/linux

make menuconfig

Setup your kernel we need some things: ext2 (for boot), ext4 (for root), Device mapper support, Crypt target suport, The Cryptographic and hash algorithm used (aes should be enabled by default, sha256 must be enabled by hand), Your networkcard


make modules_install

cp arch/x86_64/boot/bzImage /boot/kernel

System Config

nano -w /etc/fstab

/dev/sda1 /boot ext2 defaults,noatime 1 2

/dev/mapper/servercryptlvm-swap none swap sw 0 0

/dev/mapper/servercryptlvm-root / ext4 noatime 0 1

nano -w /etc/conf.d/hostname (set your hostname)

nano -w /etc/conf.d/net (config your network use your ip adress)

config_eth0=" netmask brd"

cd /etc/init.d

ln -s net.lo net.eth0

rc-update add net.eth0 default

passwd (set your root password)

nano -w /etc/rc.conf (configuration)

nano -w /etc/conf.d/keymaps (keyboard layout)

nano -w /etc/conf.d/hwclock (clock)


emerge syslog-ng

rc-update add syslog-ng default

emerge vixie-cron

rc-update add vixie-cron default

(optional) emerge dhcpcd (if you want a dhcp client, but since it will be a server I think it is not required)

Tools needed for encryption

nano -w /etc/portage/package.use

sys-fs/lvm2 static

sys-apps/busybox static

net-analyzer/netcat static -crypt

emerge lvm2 busybox netcat

emerge cryptsetup

Now we come to openssl which is a little bit tricky since gentoo does not have a

static linked version so we do the following

emerge -vf openssl

mkdir /tmp/opensslstatic

cd /tmp/opensslstatic

cat /usr/portage/distfiles/openssl*.tar.gz |gzip -d |tar xv

cd open*

./config -static


cd apps

cp openssl /tmp


cd /usr/src

mkdir initram

cd initram

mkdir bin dev dev/mapper etc newroot proc sys

cp /bin/busybox /sbin/cryptsetup /sbin/lvm.static /tmp/openssl /usr/bin/nc bin

mv bin/lvm.static bin/lvm

ln -s busybox bin/cat

ln -s busybox bin/mount

ln -s busybox bin/sh

ln -s busybox bin/switch_root

ln -s busybox bin/umount

ln -s busybox bin/sleep

ln -s busybox bin/mdev

ln -s lvm bin/vgscan

ln -s lvm bin/vgchange

(Optional Non US Keyboard Layout) busybox dumpkmap > etc/kmap-de && ln -s busybox bin/loadkmap

Copy your Public Key to the Server (use USB Stick or netcat), for example do on the Server: "nc -vlp 1234 > public.pem" and on the Client: "cat public.pem | nc -q 1 SERVERIP 1234"

nano -w init.remote


mount -t proc none /proc

CMDLINE=`cat /proc/cmdline`

mount -t sysfs none /sys

echo /sbin/mdev > /proc/sys/kernel/hotplug

mdev -s

sleep 3

ifconfig eth0

while ( if [ -b /dev/mapper/servercrypt ]; then false; else true; fi ) ;


openssl genrsa -out temp.pem 1024

openssl rsa -in temp.pem -out pubtemp.pem -outform PEM -pubout

echo awaiting remote password

cat pubtemp.pem |openssl rsautl -encrypt -inkey public.pem -pubin | /bin/nc -lp 1234 -q 1

/bin/nc -lp 1234 | openssl rsautl -decrypt -inkey temp.pem > pass

cat pass | cryptsetup luksOpen /dev/sda2 servercrypt

rm temp.pem

rm pubtemp.pem

rm pass


ifconfig eth0

ifconfig eth0 down


/bin/vgchange -ay servercryptlvm

mount -r /dev/mapper/servercryptlvm-root /newroot

umount /sys

umount /proc

exec /bin/busybox switch_root /newroot /sbin/init ${CMDLINE}

nano -w init.local


mount -t proc none /proc

CMDLINE=`cat /proc/cmdline`

mount -t sysfs none /sys

echo /sbin/mdev > /proc/sys/kernel/hotplug

mdev -s

sleep 3

#uncomment if you have a non us keyboard layout

#loadkmap < /etc/kmap-de

while ( if [ -b /dev/mapper/servercrypt ]; then false; else true; fi ) ;


echo enter password

read -s pass

echo $pass | cryptsetup luksOpen /dev/sda2 servercrypt




/bin/vgchange -ay servercryptlvm

mount -r /dev/mapper/servercryptlvm-root /newroot

umount /sys

umount /proc

exec /bin/busybox switch_root /newroot /sbin/init ${CMDLINE}

chmod u+x init.local init.remote

nano -w initgenerate

cp init.local init

find . | cpio --quiet -o -H newc | gzip -9 > /boot/initramfs.local

cp init.remote init

find . | cpio --quiet -o -H newc | gzip -9 > /boot/initramfs.remote

rm init

chmod +x initgenerate

emerge -v cpio (if it is missing)



emerge grub

nano -w /boot/grub/grub.conf

default 0

timeout 20

title=linux remote password

root (hd0,0)

kernel /boot/kernel

initrd /boot/initramfs.remote

title=linux local password

root (hd0,0)

kernel /boot/kernel

initrd /boot/initramfs.local


device (hd0) /dev/sda

root (hd0,0)

setup (hd0)




Cross fingers ;) When all is done right you can send your password via the remote passwordsender. I hope I have done no mistakes coping the info from my personal dokumentation. Now you can start installing everything your server needs. Most likely you need openssh server so that you can connect to your server ("emerge -v openssh && rc-update add sshd default")

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...