Ubuntu 9.10. Encrypted root FS, opening via SSH
The last couple of years I have been encrypting all the data on my computers. OS which I use - Ubuntu . For several years, from 2000 to 2005, I installed Debian , but I was somewhat tired of waiting for releases that were released every few years. Moved to Ubuntu.
The most convenient was such a setup. The disk is divided into 2 main (primary) partitions - the first, 1GB in size for / boot; the second is all the remaining disk space for the physical volume (PV) encrypted by LUKS. The root file system is on a logical volume (LV), in the group (VG) of which the encrypted volume belongs.
How to put Ubuntu on encrypted LVM I will write a little later, in the next post. There is an article on the LinuxMint forum - installing Mint on LVM . In principle, this article is sufficient. Ubuntu Server is installed in a similar way.
')
Written here, is applicable only for Ubuntu 9.10 Karmic Koala and its derivatives - LinuxMint eighth version, for example. As for the other OS - I do not know. In previous versions of Ubuntu, I used the dropbear script , which I used to link to here . In Karmika this script will not work.
To download, you need to open the root file system - you have to enter a password. Hands If the computer is difficult to reach - it is in the data center, or it does not have a monitor, then you can configure the launch of SSH in the environment of initramfs - before the root is mounted. SSH server - Dropbear , it is easier to include in the initramfs. Easier than OpenSSH. After opening the encrypted volume, dropbear is killed. Further, during the boot process, OpenSSH is launched.
From this point, we will assume that the system is already installed, working, the encrypted file system is opened from the console, the OpenSSH server is installed.
The host name is host22, the IP is 10.11.0.22/24, the gateway is 10.11.0.1.
The contents of / etc / crypttab looks like this:
Install Dropbear:
When installing, Dropbear generates new server keys. Plus, when you first run update-initramfs, it generates new keys for initramfs. If OpenSSH is used as the SSH server, then it is logical to use its keys, converting them to the Dropbear format:
These keys can be used by the Dropbear server if you want to use it instead of OpenSSH.
In order for the same keys to be included in the initramfs, they must be copied to / etc / initramfs-tools / etc / dropbear /:
Also, the first time you run
After that, you can update the initramfs:
Now you need to configure the network interface for initramfs. This can be done by editing the parameters of the command line passed to the kernel by the GRUB bootloader - by adding the
Edit the file / etc / default / grub. This is a regular shell script, it is sorted by the
To the value of the variable
This is what the config looks like (I rendered the ip = parameter to a separate variable):
After editing the config, you need to run
This is almost all. After the reboot,
Open volume is not enough. It is necessary to kill the process running in the console, executing the script / scripts / local-top / cryptroot:
The root system is mounted, the system boot has gone.
For convenience, the steps to open the volume and nail down the process that has become unnecessary can be arranged in the form of a script. To do this, the script
After saving
Now, to open a volume, it will be sufficient to execute the
Update 02/24/2010 23:50. The text of the script
The most convenient was such a setup. The disk is divided into 2 main (primary) partitions - the first, 1GB in size for / boot; the second is all the remaining disk space for the physical volume (PV) encrypted by LUKS. The root file system is on a logical volume (LV), in the group (VG) of which the encrypted volume belongs.
How to put Ubuntu on encrypted LVM I will write a little later, in the next post. There is an article on the LinuxMint forum - installing Mint on LVM . In principle, this article is sufficient. Ubuntu Server is installed in a similar way.
')
Written here, is applicable only for Ubuntu 9.10 Karmic Koala and its derivatives - LinuxMint eighth version, for example. As for the other OS - I do not know. In previous versions of Ubuntu, I used the dropbear script , which I used to link to here . In Karmika this script will not work.
To download, you need to open the root file system - you have to enter a password. Hands If the computer is difficult to reach - it is in the data center, or it does not have a monitor, then you can configure the launch of SSH in the environment of initramfs - before the root is mounted. SSH server - Dropbear , it is easier to include in the initramfs. Easier than OpenSSH. After opening the encrypted volume, dropbear is killed. Further, during the boot process, OpenSSH is launched.
From this point, we will assume that the system is already installed, working, the encrypted file system is opened from the console, the OpenSSH server is installed.
The host name is host22, the IP is 10.11.0.22/24, the gateway is 10.11.0.1.
The contents of / etc / crypttab looks like this:
host22_pv / dev / disk / by-uuid / 94d85942-2089-4287-9b64-f436b50637cd none luks
Install Dropbear:
apt-get install dropbear . The package includes scripts for initramfs, in the installation process - at the stage of package setup, update-initramfs . After the reboot, dropbear will start at the initramfs stage. Everything is good, but ... It is better to take a file, and a little tweak the settings.When installing, Dropbear generates new server keys. Plus, when you first run update-initramfs, it generates new keys for initramfs. If OpenSSH is used as the SSH server, then it is logical to use its keys, converting them to the Dropbear format:
/ usr / lib / dropbear / dropbearconvert openssh dropbear / etc / ssh / ssh_host_rsa_key / etc / dropbear_rsa_host_key / usr / lib / dropbear / dropbearconvert openssh dropbear / etc / ssh / ssh_host_dsa_key / etc / dropbear / dropbear_dss_host_key
These keys can be used by the Dropbear server if you want to use it instead of OpenSSH.
In order for the same keys to be included in the initramfs, they must be copied to / etc / initramfs-tools / etc / dropbear /:
cp -a / etc / dropbear_rsa_host_key / etc / initramfs-tools / etc / dropbear / cp -a / etc / dropbear / dropbear_dss_host_key / etc / initramfs-tools / etc / dropbear /
Also, the first time you run
update-initramfs , Dropbear generates user keys, which it puts in /etc/initramfs-tools/root/.ssh. Further, each time you run update-initramfs , the update-initramfs public key is copied to root's authorized_keys (only the environment initramfs, of course). Of course, it is better to take that authorized_keys, which is already used in the system.cp -a /root/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/id_rsa.pub
After that, you can update the initramfs:
update-initramfs -c -k`uname -r`
Now you need to configure the network interface for initramfs. This can be done by editing the parameters of the command line passed to the kernel by the GRUB bootloader - by adding the
ip= parameter. The description of this parameter is in the documentation of the kernel sources - the file Documentation / filesystems / nfsroot.txt (in earlier versions - Documentation / nfsroot.txt).Edit the file / etc / default / grub. This is a regular shell script, it is sorted by the
/usr/sbin/grub-mkconfig , which is called from update-grub .To the value of the variable
GRUB_CMDLINE_LINUX_DEFAULT , add:ip = 10.11.0.22 :: 10.11.0.1: 255.255.255.0: host22: eth0: off
This is what the config looks like (I rendered the ip = parameter to a separate variable):
# [skip]
GRUB_CMDLINE_LINUX_IP = "ip = 10.11.0.22 :: 10.11.0.1: 255.255.255.0: host22: eth0: off"
GRUB_CMDLINE_LINUX_DEFAULT = "quiet splash ipv6.disable = 1 $ {GRUB_CMDLINE_LINUX_IP}"
# [skip] After editing the config, you need to run
update-grub .This is almost all. After the reboot,
dropbear will dropbear . You can log in via SSH and manually open the volume:/ sbin / cryptsetup luksOpen \ / dev / disk / by-uuid / 94d85942-2089-4287-9b64-f436b50637cd host22_pv
Open volume is not enough. It is necessary to kill the process running in the console, executing the script / scripts / local-top / cryptroot:
/ sbin / pkill -f "/ bin / sh / scripts / local-top / cryptroot"
The root system is mounted, the system boot has gone.
For convenience, the steps to open the volume and nail down the process that has become unnecessary can be arranged in the form of a script. To do this, the script
/etc/initramfs-tools/hooks/unlockpv with the following code: #! / bin / sh
UNLOCK_SRC = '/ dev / disk / by-uuid / 94d85942-2089-4287-9b64-f436b50637cd'
UNLOCK_DST = 'host22_pv'
PREREQ = ""
prereqs ()
{
echo "$ PREREQ"
}
case $ 1 in
prereqs)
prereqs
exit 0
;;
esac
cat> $ {DESTDIR} / sbin / unlockpv << EOF
#! / bin / sh
/ sbin / cryptsetup luksOpen \
$ UNLOCK_SRC \
$ UNLOCK_DST
/ sbin / pkill -f "/ bin / sh / scripts / local-top / cryptroot"
/ sbin / pkill / sbin / dropbear
EOF
chmod 0700 $ {DESTDIR} / sbin / unlockpv After saving
unlockpv will unlockpv to update the initramfs:update-initramfs -c -k`uname -r`
Now, to open a volume, it will be sufficient to execute the
/sbin/unlockpv .Update 02/24/2010 23:50. The text of the script
/etc/initramfs-tools/hooks/unlockpv was not fully cited - perhaps due to the fact that I did not specify the parenthesis in the expression cat >${DESTDIR}/sbin/unlockpv <<EOF . All that goes further - the contents of /sbin/unlockpv have been cut off. Corrected. I apologize for the inaccuracy.Source: https://habr.com/ru/post/85359/
All Articles