April 25, 2010 at 18:02The dream of paranoid or Once again about encryption
In the light of recent events with torrents.ru and the activation of state groups of anti-piracy agencies, I think many people thought about how to protect themselves or their server in case unexpected “guests” come. So the task for me was to protect the local media server from encroachments, after spending a couple of days googling and reading manuals / howto - I managed to implement this. I will say right away that there are a lot of encryption articles, but they are mainly designed to encrypt only certain sections, or they are outdated / contain many errors.
First, I’ll briefly explain the theory of how this all works: the bootloader and the passkey will be stored on a small (<50Mb) section of the flash drive, when it is turned on, the bootloader will unlock access to the encrypted screw, load the kernel, connect virtual partitions (LVM), then normal boot system.
Ububtu Server 9.10 was chosen as the operating system, but you can implement this task on any UNIX-like system. Immediately make a reservation, in the installer there is the possibility of encrypting the system at the installation stage, but it is impossible to implement points 1 and 2 from the list above, therefore we will act manually.
Now create a key file with which we will encrypt the screw and make a duplicate of it (just in case):
The first way. Random information is taken from a pseudo-random number generator and written to the screw in blocks of 2MB. The data generation speed on the Core Quad Q6600 was only 6Mb / s, so the 80Gig test screw filled up in 4 hours.
I personally did not check the second method since I found it after preparing the screw. It uses a screw test program for BAD blocks. I can not say anything about the speed of this method and the "quality" of random data.
Now that the disk surface is full, it's time to encrypt it. To do this, we use LUKS technology .
You will be warned about data destruction, for confirmation you need to write YES (in capital letters). We connect the encrypted disk:
Enter the password and get the new block device / dev / mapper / drivespace . With the resulting device, you can work with a regular screw.
Now we have 3 more block devices / dev / mapper / vg-swap / dev / mapper / vg-root / dev / mapper / vg-data . We format them in the necessary FS.
All! Our screw is ready to transfer the OS to it. To prepare the system, we need the UUIDs of the screw and partitions, therefore we will save them to a file on a USB flash drive
on the
Edit / etc / fstab
For / boot, we indicate the mount point in the form of the UUID of the second section of the flash drive (you can take it from the file on the flash drive or see it again in the system), this is necessary so that the system always mounts the correct partition regardless of the number of connected flash drives / screws.
Edit / etc / crypttab
here we indicate the UUID from our encrypted screw (we look at it in a file on a USB flash drive)
Create the file / etc / initramfs-tools / hooks / cryptokeys with the following script:
He will copy our key file to an unusual place inside the initrd image so that the flash drive will not be mounted again. Create the file / etc / initramfs-tools / scripts / local-top / cryptokeys with the script:
It will be executed during the initrd boot process, load the necessary kernel modules, and will try to open our encrypted screw with UUID = 090d14c1-e3c8-48e7-b123-6d9b8b2e502b. (The loop was made for the case with a passphrase instead of a key). You need to enter here your UUID from the encrypted screw.
Now we execute:
Now you can transfer the system.
Everything is simple: connect our flash drive with backup, boot from LiveCD, connect the encrypted screw, install the LVM support package, mount the virtual root partition (you may have to run vgscan and vgmknodes first so that the system sees the partitions), mount the flash drive and unpack the archive with the system.
Well, that’s all, we reboot the computer and boot from the USB flash drive. If everything is done correctly, then after a few seconds you will see the inscription Key slot 0 unlocked, then your screw has decrypted and connected, after that the standard system boot will go.
In the case of a home computer, such a system allows you to reliably protect your personal information and will not allow anyone to use the computer without your knowledge (without a flash drive); in the case of a server in the organization, if a check came to you - they pulled out a USB flash drive and poked reset and for the experts you have a non-working / new computer; for a server at the host, I would complicate the system and store the key somewhere on the network, if the server is disconnected and taken away, it will not boot without Internet (and you need to quickly remove access to the key so that it does not boot at all).
If everything worked for you the first time, then you can safely delete all files from the first section of the flash drive.
Be sure to make a copy of your key so as not to lose access to your data. It is also a good idea to add a second key in the form of a password (how to do this can be found in the LUKS / cryptsetup documentation). Organization of fault-tolerant storage based on RAID1,5,6 will also not be superfluous when storing valuable information.
When setting up this entire system, I initially modeled it on a virtual machine, and then only transferred it to a real computer. I would also very much like to know the opinion of lawyers (preferably from Ukraine) regarding the provability of guilt in distributing pirated content if experts cannot get to the information (which is impossible without a key), but find that the screw is encrypted.
LUKS Wikipedia
LVM
EncryptedFilesystemHowto5- the most useful of the articles I found, almost everything was done on it.
UPD Corrected the screw encryption command. Thanks ITpower
GOALS:
- All screw (s) must be securely encrypted
- There should be absolutely no breakdown on the screws, as if it is a new (or worn) screw
- OS must be on encrypted partitions
- It should be possible to increase disk space by adding new screws
- Boot the system without entering the encryption key
THEORY:
First, I’ll briefly explain the theory of how this all works: the bootloader and the passkey will be stored on a small (<50Mb) section of the flash drive, when it is turned on, the bootloader will unlock access to the encrypted screw, load the kernel, connect virtual partitions (LVM), then normal boot system.
Ububtu Server 9.10 was chosen as the operating system, but you can implement this task on any UNIX-like system. Immediately make a reservation, in the installer there is the possibility of encrypting the system at the installation stage, but it is impossible to implement points 1 and 2 from the list above, therefore we will act manually.
We will need:
- Ubuntu Server 9.10 Image
- LiveCD distribution. I took a regular Ubuntu Desktop CD, since it can work with encrypted partitions out of the box.
- A flash drive that will be used to boot the system
- Basic knowledge of * nix systems
- Straight arms
STEP 1. Preparing a flash drive and hard drive
A) Partitioning the flash drive into partitions and creating a key
We connect the USB flash drive to the computer on which the screw will be encrypted and boot from the LiveCD. Our task is to create 2 partitions on our flash drive: the first will occupy almost all the space and be formatted in FAT16, FAT32, NTFS (of your choice), the second partition will be done at the end of the flash drive at 50MB and formatted in ext2. Such a breakdown is not accidental - thanks to the initial section, the flash drive will be fully functional in any OS. Also in windows the second section will be unavailable - which is a plus if your flash drive falls into the wrong hands. To create partitions, I used the GParted graphics utility (it was on LiveCD), but no one bothers you with fdisk. After creating the partitions, mount them in the system:sudo su
mkdir /mnt/flash /mnt/boot
mount /dev/sdb1 /mnt/flash
mount /dev/sdb2 /mnt/bootNow create a key file with which we will encrypt the screw and make a duplicate of it (just in case):
dd if=/dev/random of=/mnt/boot/mykey bs=1 count=256
cp /mnt/boot/mykey /mnt/flash/B) Preparing the screw for encryption
First, we need to hammer our screw with completely random data. This is done so that it is impossible to determine in which sectors your data is located and how much space they occupy, roughly speaking, the entire screw opened in the HEX editor should look like evenly clogged with incoherent garbage, regardless of the amount of your information. There are 2 standard ways to do this, both are slow, so be patient.The first way. Random information is taken from a pseudo-random number generator and written to the screw in blocks of 2MB. The data generation speed on the Core Quad Q6600 was only 6Mb / s, so the 80Gig test screw filled up in 4 hours.
sudo dd if=/dev/urandom of=/dev/sda bs=2MI personally did not check the second method since I found it after preparing the screw. It uses a screw test program for BAD blocks. I can not say anything about the speed of this method and the "quality" of random data.
sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sdaNow that the disk surface is full, it's time to encrypt it. To do this, we use LUKS technology .
sudo cryptsetup -h=sha256 -c=aes-cbc-essiv:sha256 -s=256 luksFormat /dev/sda /mnt/boot/mykeyYou will be warned about data destruction, for confirmation you need to write YES (in capital letters). We connect the encrypted disk:
sudo cryptsetup -d=/mnt/boot/mykey luksOpen /dev/sda drivespaceEnter the password and get the new block device / dev / mapper / drivespace . With the resulting device, you can work with a regular screw.
C) Creating a virtual partitioning (LVM)
You can create regular partitions and format them, but this method will not allow expanding our partitions in the future (you will have to add new ones), so we will use LVM technology . In short, it allows you to add new screws to the pool at any time and expand the logical partitions to the added free space. My LiveCD booted without the necessary packages, so first we install them, and then create a physical partition from our decrypted screw and divide it into logical ones.sudo su
apt-get install lvm2
pvcreate /dev/mapper/drivespace
vgcreate vg /dev/mapper/drivespace
lvcreate -L1G -nswap vg
lvcreate -L3G -nroot vg
lvcreate -l 100%FREE -ndata vgNow we have 3 more block devices / dev / mapper / vg-swap / dev / mapper / vg-root / dev / mapper / vg-data . We format them in the necessary FS.
sudo su
mkswap /dev/mapper/vg-swap
mkfs.ext4 /dev/mapper/vg-root
mkfs.xfs /dev/mapper/vg-dataAll! Our screw is ready to transfer the OS to it. To prepare the system, we need the UUIDs of the screw and partitions, therefore we will save them to a file on a USB flash drive
ls -l /dev/disk/by-uuid >/mnt/flash/uuid.txtSTEP 2. Preparing the operating system
A) System Installation
You need to install our OS either on a separate screw or on a second computer (virtual machine). Before installation, we connect our flash drive. It is better to do the installation in the minimum configuration, select the settings for your needs. The only important point is that you need to specify that / boot is installed on the second section of the flash drive immediately (so as not to transfer it later) and make sure that the Grub bootloader is installed on the flash drive.B) Installing additional packages, changing settings
After the installation is complete, we need to add packages to the system to support encryption and LVM and fix some configs. Install packages (with an Internet connected):sudo apt-get -y install cryptsetup lvm2linux /vmlinuz-2.6.31-14-server root=UUID=9a651089-88fa-46d6-b547-38d3e10d4e67 ro quiet splashon the
linux /vmlinuz-2.6.31-14-server root=/dev/mapper/vg-root ro quiet splashEdit / etc / fstab
proc /proc proc defaults 0 0
UUID=eb7f5e37-b957-43dd-8af6-3c8983670df5 /boot ext2 defaults 0 2
/dev/mapper/vg-root / ext4 errors=remount-ro 0 1
/dev/mapper/vg-data /home xfs defaults 0 1
/dev/mapper/vg-swap none swap sw 0 0For / boot, we indicate the mount point in the form of the UUID of the second section of the flash drive (you can take it from the file on the flash drive or see it again in the system), this is necessary so that the system always mounts the correct partition regardless of the number of connected flash drives / screws.
Edit / etc / crypttab
drivespace UUID=090d14c1-e3c8-48e7-b123-6d9b8b2e502b /boot/mykey luks,cipher=aes-cbc-essiv:sha256here we indicate the UUID from our encrypted screw (we look at it in a file on a USB flash drive)
C) Change initrd
Preparing initrd to work with encryption and LVM. In the file / etc / initramfs-tools / modules add:dm_mod
dm_crypt
sha256
aes_genericCreate the file / etc / initramfs-tools / hooks / cryptokeys with the following script:
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
if [ ! -x /sbin/cryptsetup ]; then
exit 0
fi
. /usr/share/initramfs-tools/hook-functions
mkdir ${DESTDIR}/etc/console
cp /boot/mykey ${DESTDIR}/etc/console
copy_exec /sbin/cryptsetup /sbin
He will copy our key file to an unusual place inside the initrd image so that the flash drive will not be mounted again. Create the file / etc / initramfs-tools / scripts / local-top / cryptokeys with the script:
PREREQ="udev"
prereqs()
{
echo "$PREREQ"
}
case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac
modprobe -b dm_crypt
modprobe -b aes_generic
modprobe -b sha256
while ! /sbin/cryptsetup -d=/etc/console/mykey luksOpen /dev/disk/by-uuid/090d14c1-e3c8-48e7-b123-6d9b8b2e502b drivespace; do
echo "Try again..."
doneIt will be executed during the initrd boot process, load the necessary kernel modules, and will try to open our encrypted screw with UUID = 090d14c1-e3c8-48e7-b123-6d9b8b2e502b. (The loop was made for the case with a passphrase instead of a key). You need to enter here your UUID from the encrypted screw.
Now we execute:
sudo chmod +x /etc/initramfs-tools/hooks/cryptokeys
sudo chmod +x /etc/initramfs-tools/scripts/local-top/cryptokeys
sudo update-initramfs -u -k allD) Packing system for transfer
We mount our partition from the root fs in a separate folder and pack it on the first section of the flash drive:mkdir /mnt/root && mount /dev/sda1 /mnt/root && cd /mnt/root
tar cfjv /mnt/flash/systembackup.tar.bz2 . #НЕ ПРОПУСТИТЕ ТОЧКУ В КОНЦЕ СТРОКИNow you can transfer the system.
STEP 3. System Transfer
Everything is simple: connect our flash drive with backup, boot from LiveCD, connect the encrypted screw, install the LVM support package, mount the virtual root partition (you may have to run vgscan and vgmknodes first so that the system sees the partitions), mount the flash drive and unpack the archive with the system.
sudo su
mkdir /mnt/flash
mount /dev/sdb1 /mnt/flash
cryptsetup -d=/mnt/flash/mykey luksOpen /dev/disk/by-uuid/090d14c1-e3c8-48e7-b123-6d9b8b2e502b drivespace
apt-get install lvm2
#vgscan && vgchange -a y && vgmknodes vg #Выполняем если система не увидела виртуальные разделы
mkdir /mnt/root
mount /dev/mapper/vg-root /mnt/root
mkdir /mnt/root/home
mount /dev/mapper/vg-home /mnt/root/home
cp /mnt/flash/systembackup.tar.bz2 /mnt/root && cd /mnt/root #переносим архив на винт, для ускорения распаковки
tar xfvj systembackup.tar.bz2
Well, that’s all, we reboot the computer and boot from the USB flash drive. If everything is done correctly, then after a few seconds you will see the inscription Key slot 0 unlocked, then your screw has decrypted and connected, after that the standard system boot will go.
Notes, Sources
In the case of a home computer, such a system allows you to reliably protect your personal information and will not allow anyone to use the computer without your knowledge (without a flash drive); in the case of a server in the organization, if a check came to you - they pulled out a USB flash drive and poked reset and for the experts you have a non-working / new computer; for a server at the host, I would complicate the system and store the key somewhere on the network, if the server is disconnected and taken away, it will not boot without Internet (and you need to quickly remove access to the key so that it does not boot at all).
If everything worked for you the first time, then you can safely delete all files from the first section of the flash drive.
Be sure to make a copy of your key so as not to lose access to your data. It is also a good idea to add a second key in the form of a password (how to do this can be found in the LUKS / cryptsetup documentation). Organization of fault-tolerant storage based on RAID1,5,6 will also not be superfluous when storing valuable information.
When setting up this entire system, I initially modeled it on a virtual machine, and then only transferred it to a real computer. I would also very much like to know the opinion of lawyers (preferably from Ukraine) regarding the provability of guilt in distributing pirated content if experts cannot get to the information (which is impossible without a key), but find that the screw is encrypted.
LUKS Wikipedia
LVM
EncryptedFilesystemHowto5- the most useful of the articles I found, almost everything was done on it.
UPD Corrected the screw encryption command. Thanks ITpower