krstfvndm
/
blog
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
464 KiB
 
 
 
Tree: a81c619b3f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a81c619b3f'
${ noResults }
blog/public/administration/luks-encryption/index.html

442 lines
18 KiB
Raw Blame History

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en-us">
<head>
<title>
Luks Encryption // Hagfi.sh
</title>
<link href="http://gmpg.org/xfn/11" rel="profile">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1">
<meta name="description" content="">
<meta name="keywords" content="">
<meta name="author" content="Kristof Vandam">
<meta name="generator" content="Hugo 0.92.0" />
<meta property="og:title" content="Luks Encryption" />
<meta property="og:description" content="" />
<meta property="og:type" content="website" />
<meta property="og:locale" content="en_US" />
<meta property="og:url" content="https://blog.hagfi.sh/administration/luks-encryption/" />
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/pure/0.5.0/base-min.css">
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/pure/0.5.0/pure-min.css">
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/pure/0.5.0/grids-responsive-min.css">
<link rel="stylesheet" href="https://blog.hagfi.sh//css/redlounge.css">
<link rel="stylesheet" href="https://blog.hagfi.sh//css/prism.css">
<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css" rel="stylesheet">
<link href='//fonts.googleapis.com/css?family=Raleway:400,200,100,700,300,500,600,800' rel='stylesheet' type='text/css'>
<link href='//fonts.googleapis.com/css?family=Libre+Baskerville:400,700,400italic' rel='stylesheet' type='text/css'>
<link rel="apple-touch-icon-precomposed" sizes="144x144" href="/touch-icon-144-precomposed.png">
<link rel="shortcut icon" type="image/x-icon" href="/img/favicon.png">
<link href="" rel="alternate" type="application/rss+xml" title="Hagfi.sh" />
<script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.18.1/moment.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/vue/2.5.17/vue.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/axios/0.18.0/axios.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/fuse.js/3.2.1/fuse.min.js"></script>
<script src="//cdn.jsdelivr.net/npm/vuewordcloud@18.7.11/VueWordCloud.js"></script>
<script src="https://blog.hagfi.sh//js/prism.js"></script>
<script type="application/javascript">
var doNotTrack = false;
if (!doNotTrack) {
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-124890410-1', 'auto');
ga('send', 'pageview');
}
</script>
</head>
<body>
<div id="layout" class="pure-g">
<div class="sidebar pure-u-1 pure-u-md-1-4" id="app">
<div class="header">
<h1 class="brand-title"><a href="/">Hagfi.sh</a></h1>
<h2 class="brand-tagline">A devops guide to the galaxy</h2>
<div class="counters">
<a class="counter" href="/">13
<div class="counter-sub">Documents</div>
</a>
<a class="counter" href="/tags">29
<div class="counter-sub">Tags</div>
</a>
<a class="counter" href="/categories">3
<div class="counter-sub">Categories</div>
</a>
</div>
<nav class="nav">
</nav>
<div class="search-wrapper">
<input
type="text"
placeholder="Search ..."
v-model="search"
@keydown.down.prevent="navigate(1)"
@keydown.up.prevent="navigate(-1)"
@keyup.enter.prevent="navigate(result[selected].href)"
ref="searchInput"
class="search"
/>
<svg height="100" width="100" ref="resultPoint" class="result-point">
<circle cx="5" cy="5" r="5" fill="#FFF" />
</svg>
<ul class="result-items">
<li v-for="r, i of result" class="result-item" ref="resultItem">
<div class="result-item-wrapper" :class="{ 'result-item-selected': selected === i }">
<div class="result-item-left">
<span class="post-date">
<span class="post-date-day"><sup v-text="moment(r.date).format('D')"></sup></span><span class="post-date-separator" v-text="'/'"></span><span class="post-date-month" v-text="moment(r.date).format('MMM')"></span> <span class="post-date-year" v-text="moment(r.date).format('YYYY')"></span>
</span>
<template v-if="r.author">By <a class="post-author" v-text="r.author"></a></template>
</div>
<div class="result-item-left">
<span class="result-item-separator nav-item-separator" v-text="'//'"></span><a :href="r.href" v-text="r.title" class="result-item-link"></a>
</div>
</div>
</li>
</ul>
</div>
</div>
</div>
<div class="content pure-u-1 pure-u-md-3-4">
<a name="top"></a>
<div id="toc" class="pure-u-1 pure-u-md-1-4">
<small class="toc-label">Contents</small>
<nav id="TableOfContents">
<ul>
<li><a href="#add-a-new-disk-lvm">Add a new disk (LVM)</a></li>
<li><a href="#create-a-logical-volume-lvm">Create a logical volume (LVM)</a></li>
<li><a href="#encrypt-the-partition">Encrypt the partition</a></li>
<li><a href="#create-a-mountpoint">Create a mountpoint</a></li>
<li><a href="#create-a-key-to-auto-mount-the-encrypted-disk">Create a key (to auto-mount the encrypted disk)</a></li>
<li><a href="#unmount-and-add-the-key">Unmount and add the key</a></li>
<li><a href="#get-uuid">Get UUID</a></li>
<li><a href="#auto-mount-luks-edit-etccrypttab">Auto-mount LUKS (edit /etc/crypttab)</a></li>
<li><a href="#auto-mount-luks-edit-etccypttab">Auto-mount LUKS (edit /etc/cypttab)</a></li>
<li><a href="#check-your-work">Check your work</a></li>
</ul>
</nav>
</div>
<section class="post">
<h1 class="post-title">
<a href="/administration/luks-encryption/">Luks Encryption</a>
</h1>
<h3 class="post-subtitle">
</h3>
<span class="post-date">
<span class="post-date-day"><sup>23</sup></span><span class="post-date-separator">/</span><span class="post-date-month">Aug</span> <span class="post-date-year">2018</span>
</span>
<span class="post-author-single">By <a class="post-author" target="">Kristof Vandam</a></span>
<div class="post-categories">
<a class="post-category post-category-administration" href="https://blog.hagfi.sh//categories/administration">administration</a>
</div>
<p>Create an encrypted partition that will automatically mount at boot.</p>
<p>Sometimes it&rsquo;s nice to have encryption, sometimes it&rsquo;s mandatory, either way, there are a couple of thing you should take
in mind. Most solutions you find are at disk level but these have some pro&rsquo;s and con&rsquo;s.</p>
<table>
<thead>
<tr>
<th>PRO&rsquo;s</th>
<th>CON&rsquo;s</th>
</tr>
</thead>
<tbody>
<tr>
<td>Every application can work with it</td>
<td>Data is only secured from physical theft</td>
</tr>
<tr>
<td>No extra development required</td>
<td>Can cause some overhead, as everything goes through encryption/decryption, everything</td>
</tr>
</tbody>
</table>
<p>There are also a couple of choisen you can make implementing LUKS, you could create a LVM layer on top of a LUKS partition or, what
we are doing in this guide, add a LUKS encrypted mount on top of a LVM stack. The latter allows you to automatically mount
the encrypted disk after or at boot time.</p>
<h2 id="add-a-new-disk-lvm">Add a new disk (LVM)</h2>
<p>This is unrelated to encrypting the disk, but in our setup we started by adding a new disk to the server.</p>
<p>The commands below are just some I often use as a group. From lines 1 to 3 you can just copy/paste. Line 1 makes sure a rescan
is triggered to detect the newly added disk. 2 &amp; 3 create some variables, which can be checked and used later. Make sure the output
of these are what you expected. You can echo them as shown on 4 &amp; 5.</p>
<p>Create a Physical Volume and extend the Volume Group &lsquo;centos&rsquo;</p>
<pre tabindex="0"><code class="language-.language-command.line-numbers" data-lang=".language-command.line-numbers">root@server:/dev/centos # for i in /sys/class/scsi_host/host*; do echo &quot;- - -&quot; &gt; $i/scan; done
root@server:/dev/centos # NEWDISK=$(dmesg|tail|grep 'Attached'|awk '{print $4}'|tail -n1|cut -d &quot;[&quot; -f2|cut -d &quot;]&quot; -f1)
root@server:/dev/centos # VGROUP=$(vgdisplay|grep Name|head -n1|awk '{print $3}')
root@server:/dev/centos # echo ${NEWDISK}
sdd
root@server:/dev/centos # echo ${VGROUP}
centos
root@server:/dev/centos # pvcreate /dev/${NEWDISK}
Physical volume &quot;/dev/sdd&quot; successfully created.
root@server:/dev/centos # vgextend ${VGROUP} /dev/${NEWDISK}
Volume group &quot;centos&quot; successfully extended
</code></pre><h2 id="create-a-logical-volume-lvm">Create a logical volume (LVM)</h2>
<p>Add a Logical Volume named &lsquo;encrypted&rsquo; to the Volume Group &lsquo;centos&rsquo;.</p>
<pre tabindex="0"><code class="language-.language-command" data-lang=".language-command">root@server:/dev/centos # lvcreate -L 15G -n encrypted centos
Logical volume &quot;encrypted&quot; created.
</code></pre><h2 id="encrypt-the-partition">Encrypt the partition</h2>
<p>Ok, the fun parts starts here (<strong>CAUTION</strong> before continueing make sure there is no important data on <em>/dev/centos/encrypted</em>, this will be wiped). We encrypt the Logical Volume with the first command. A passphrase is required (see it as a backup)
LUKS can contain up to 5 different passwords. In a future section we add a second, more complex, password to use as key on boot.
Hold tight.</p>
<p>After the first command (the actual formatting of the partition) we need to &lsquo;open&rsquo; the partition. By opening we mean creating a new disk, but you
should notice there is a password required to do so. Use the password you just created.</p>
<pre tabindex="0"><code class="language-.language-command" data-lang=".language-command">root@server:/dev/centos # cryptsetup -v --verify-passphrase luksFormat /dev/centos/encrypted
root@server:/dev/mapper # cryptsetup luksOpen /dev/centos/encrypted luks-encrypted
</code></pre><h2 id="create-a-mountpoint">Create a mountpoint</h2>
<p>Before you can use the encrypted partition you should mount it. Do it like you always do it. Create a directory to mount to and mount <em>/dev/mapper/luks-encrypted</em> with <em>mount</em>.</p>
<pre tabindex="0"><code class="language-.language-command" data-lang=".language-command">root@server:/dev/mapper # mkdir /encrypted
root@server:/dev/mapper # mount /dev/mapper/luks-encrypted /encrypted
</code></pre><p>From here on you are actually done, if you want to type password manually on every boot. I highly doubt you want that so lets go on.
(It is ofourse more safe to do so).</p>
<h2 id="create-a-key-to-auto-mount-the-encrypted-disk">Create a key (to auto-mount the encrypted disk)</h2>
<p>Create a key-file we can add to <em>/etc/crypttab</em>, any random string will do, but we create it with <em>/dev/urandom</em>. Make sure to set some strict permissions.</p>
<pre tabindex="0"><code class="language-.language-command" data-lang=".language-command">root@server:/dev/mapper # dd if=/dev/urandom of=/root/lukskey bs=1024 count=4
root@server:/dev/mapper # chmod 0400 /root/lukskey
</code></pre><h2 id="unmount-and-add-the-key">Unmount and add the key</h2>
<p>Add the key you just created to make it valid for LUKS, but first unmount the mount and close the vault.</p>
<pre tabindex="0"><code class="language-.language-command" data-lang=".language-command">root@server:/ # umount /encrypted
root@server:/ # cryptsetup luksClose luks-encrypted
root@server:/ # cryptsetup luksAddKey /dev/mapper/centos-encrypted /root/lukskey
</code></pre><h2 id="get-uuid">Get UUID</h2>
<p>Get the UUID of the disk, using the UUID to mount disk is a more solid solution than using the disknames (/dev/sd*). These disknames <strong>CAN</strong> change, the UUID cannot.</p>
<pre tabindex="0"><code class="language-.lang-command" data-lang=".lang-command">root@server:/ # blkid /dev/mapper/centos-encrypted
/dev/mapper/centos-encrypted: UUID=&quot;0dab9a5c-1870-478d-8d74-226eeb512f78&quot; TYPE=&quot;crypto_LUKS&quot;
</code></pre><h2 id="auto-mount-luks-edit-etccrypttab">Auto-mount LUKS (edit /etc/crypttab)</h2>
<p>Add a entry to the <em>/etc/crypttab</em>, see it as the <em>/etc/fstab</em> file. Just as fstab crypttab will automount the defined entries.</p>
<pre tabindex="0"><code class="language-.language-command" data-lang=".language-command">root@server:/ # blkid /dev/mapper/centos-encrypted
/dev/mapper/centos-encrypted: UUID=&quot;0dab9a5c-1870-478d-8d74-226eeb512f78&quot; TYPE=&quot;crypto_LUKS&quot;
</code></pre><h2 id="auto-mount-luks-edit-etccypttab">Auto-mount LUKS (edit /etc/cypttab)</h2>
<pre tabindex="0"><code class="language-.language-bash" data-lang=".language-bash">luks-encrypted /dev/disk/by-uuid/0dab9a5c-1870-478d-8d74-226eeb512f78 /root/lukskey luks
</code></pre><h2 id="check-your-work">Check your work</h2>
<p>Congrats, this should be it, reboot and make sure the disk is mounted automatically.</p>
<div class="tags-list">
<span class="dark-red">Tags</span><span class="decorative-marker">//</span>
<a class="post-tag post-tag-encryption" href="https://blog.hagfi.sh//tags/encryption">encryption</a>,
<a class="post-tag post-tag-security" href="https://blog.hagfi.sh//tags/security">security</a>,
<a class="post-tag post-tag-disk" href="https://blog.hagfi.sh//tags/disk">disk</a>,
<a class="post-tag post-tag-partition" href="https://blog.hagfi.sh//tags/partition">partition</a>,
</div>
<div class="paging">
<span class="paging-label">More Reading</span>
<div class="paging-newer">
<span class="dark-red">Newer</span><span class="decorative-marker">//</span>
<a class="paging-link" href="/index.json"></a>
</div>
<div class="paging-older">
<span class="dark-red">Older</span><span class="decorative-marker">//</span>
<a class="paging-link" href="/administration/windows_troubleshooting/">Windows troubleshooting</a>
</div>
</div>
</section>
<div id="disqus_thread"></div>
<script type="application/javascript">
var disqus_config = function () {
};
(function() {
if (["localhost", "127.0.0.1"].indexOf(window.location.hostname) != -1) {
document.getElementById('disqus_thread').innerHTML = 'Disqus comments not available by default when the website is previewed locally.';
return;
}
var d = document, s = d.createElement('script'); s.async = true;
s.src = '//' + "hagfish" + '.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
<a href="https://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
<div class="footer">
<hr class="thin" />
<div class="pure-menu pure-menu-horizontal pure-menu-open">
<ul class="footer-menu">
</ul>
</div>
<p>&copy; 2022. All rights reserved.</p>
</div>
</div>
</div>
<script>
var app = new Vue({
el: '#app',
data: {
fuse: null,
search: "",
result: [],
index: [],
selected: 0
},
mounted() {
let self = this
window.addEventListener("keypress", function(e) {
self.$refs.searchInput.focus()
})
let options = {
shouldSort: true,
threshold: 0.6,
location: 0,
distance: 100,
maxPatternLength: 32,
minMatchCharLength: 1,
keys: [
"title",
"author",
"date",
"content"
]
}
axios.get('/index.json')
.then(function (response) {
self.index = response.data
self.fuse = new Fuse(response.data, options)
})
.catch(function (error) {
})
},
watch: {
result(nval, oval) {
nval.length > 0 ? this.pointer(0) : this.pointer(-1)
},
search(nval, oval) {
this.result = this.fuse.search(nval)
}
},
methods: {
navigate(val) {
switch (val) {
case 1: if (this.selected < this.result.length - 1) { this.selected++ }; break;
case -1: if (this.selected > 0 ) { this.selected-- }; break;
default: window.location.href = val; break;
}
this.pointer(this.selected)
},
pointer(selected) {
let self = this
if (selected >= 0) {
Vue.nextTick().then(function() {
let height = self.$refs.resultItem[selected].clientHeight
let top = self.$refs.resultItem[selected].getBoundingClientRect().top
let left = self.$refs.resultItem[selected].getBoundingClientRect().left
self.$refs.resultPoint.style.top = (top+height/2)+'px'
self.$refs.resultPoint.style.left = (left-20)+'px'
})
} else {
this.$refs.resultPoint.style.left = '-50px'
return
}
}
}
})
</script>
</body>
</html>