Linux Data Encryption
This article describes one of the options for encrypting data in Linux.
The article does not claim to truism and does not reveal anything new.
The idea is described and an example of its implementation is shown.
Actually, the main idea:
When equipment is removed (thieves) (the hard drive, or the computer as a whole), the ability to obtain any information should be completely absent. Ie, the attacker should not receive any information at all, any information carrier should be completely encrypted.
Options with bootable flash drives were immediately rejected for ideological reasons, since it is not always possible to quickly disable it.
As a result, the scheme was chosen with network boot.
Task:
Provide data encryption located on the Windows server.
Example of implementation:
1. We perform network booting (pxe + nfs)
2. Run sshd and wait for the encrypted partitions to be mounted.
3. Through ssh we mount cryptic partitions
4. We start the VirtualBox virtual machine with Windows onboard
Initial data:
Network: 192.168.1.0/24
The main gateway: 192.168.1.1
DNS: 192.168.1.1
Remote boot server: 192.168.1.13 (boot server)
Server with encrypted data: 192.168.1.14 (loadable server)
Everything described below will happen on a server with Debian Lenny preinstalled.
We set up and configure dhcp server for network boot.
')
Next, install and configure the tftp server.
For network booting we need the pxelinux.0 file from the syslinux package
Install the syslinux package. And customize pxe.
The meaning of this config: by default we load the vcrypt section, which indicates which kernel and ram disk to use, and that we have the root partition on the remote nfs server.
With the tftp and pxe settings we finished, now we will install and configure the nfs server.
We indicate which directory and for whom we open access.
Reboot the nfs server so that it processes the new config.
Now it remains to install the system, which we will remotely download. The easiest option is to use the debootstrap utility.
The installation process is as simple as five cents, we specify the architecture, the distribution kit, where to install it and the mirror (where to get the packages from).
When the debootstrap is completed, the system in the / opt / vcrypt / folder will be almost ready for work.
Chroot the newly installed system
Set up the time zone, network and resolv, set the hostname and update the apt cache
Install and configure locales.
I chose only en_US.UTF8 and ru_RU.UTF8. For observance of full koshernost - default exhibited en_US.UTF8.
Create a kernel installation configuration file and install the kernel
Configuring the initrd to boot over the network. I want to note that we perform all manipulations exclusively in the chroot system.
We delete the old one and generate a new initrd, although it is possible to delete it in worker-peasant fashion:
rm /boot/initrd.img-`uname -r`
but since childhood I have disliked the rm command
Making symbolic links to the kernel and ramdisk
Install luks
Set root password and install ssh server
After the above manipulation, the remote boot server is fully operational.
If the download is successful, then at 192.168.1.14 you will have a fully working server running sshd.
Login and encrypt encryption:
Fill the disk with random data to make it difficult to detect encrypted data.
You can also check for bad blocks, but this is up to you.
Create an encrypted partition (hard disk, media)
I hope you will use a pass phrase of at least 15 characters long, consisting of numbers and letters of different case.
Open the encrypted device and associate it with the virtual device / dev / mapper / vcrypt. Create a file system. Create a mount point
Next, install VirtualBox. To my deep regret, not Sun, Oracle VirtualBox
Create a container for the virtual machine. Let it be called Bender1 with a template for Win2k3 server
We allocate 1 GB of RAM to the container, set access to the network via the network bridge, enable the virtual rdp server on port 3389
Create an IDE controller for our virtual machine
Create a virtual hard disk of 20 GB and connect it to the controller
We connect the legal installation DVD image to the controller.
We expose the download from the legal DVD image
Now everything is ready to launch "Bender"
Connect to rdp server and enjoy the installation of a legal win2k3. The process of installing and configuring the win2k3 server to describe does not see the point.
After a successful installation, we send a “shutdown” signal to “Bender”
Switch to boot disk
Sample scripts to enable and disable the virtual machine.
Again, I repeat, here is an example of a basic system setup. No configuration of the firewall, binding of the tftp server to the mac of the server being loaded, sssh server, encryption of the “bootable system”, etc. are described.
Every administrator decides for himself.
Nobody limits the flight of yourparanoia of fantasy, but you need to remember that not all drugs are equally useful.
The article does not claim to truism and does not reveal anything new.
The idea is described and an example of its implementation is shown.
Actually, the main idea:
When equipment is removed (thieves) (the hard drive, or the computer as a whole), the ability to obtain any information should be completely absent. Ie, the attacker should not receive any information at all, any information carrier should be completely encrypted.
Options with bootable flash drives were immediately rejected for ideological reasons, since it is not always possible to quickly disable it.
As a result, the scheme was chosen with network boot.
Task:
Provide data encryption located on the Windows server.
Example of implementation:
1. We perform network booting (pxe + nfs)
2. Run sshd and wait for the encrypted partitions to be mounted.
3. Through ssh we mount cryptic partitions
4. We start the VirtualBox virtual machine with Windows onboard
Initial data:
Network: 192.168.1.0/24
The main gateway: 192.168.1.1
DNS: 192.168.1.1
Remote boot server: 192.168.1.13 (boot server)
Server with encrypted data: 192.168.1.14 (loadable server)
Everything described below will happen on a server with Debian Lenny preinstalled.
We set up and configure dhcp server for network boot.
')
netboot:~# apt-get install dhcp3-server
netboot:~# mcedit /etc/dhcp3/dhcpd.conf
option domain-name-servers 192.168.1.1;
default-lease-time 86400;
max-lease-time 604800;
authoritative;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.20 192.168.1.60;
filename "pxelinux.0";
next-server 192.168.1.13;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
}
Next, install and configure the tftp server.
netboot:~# apt-get install tftpd-hpa
netboot:~# mcedit etc/default/tftpd-hpa
RUN_DAEMON="yes"
OPTIONS="-l -s /opt/vcrypt/boot"
For network booting we need the pxelinux.0 file from the syslinux package
Install the syslinux package. And customize pxe.
netboot:~# apt-get install syslinux
netboot:~# mkdir -p /opt/vcrypt/boot
netboot:~# cp /usr/lib/syslinux/pxelinux.0 /opt/vcrypt/boot/
netboot:~# mkdir /opt/vcrypt/boot/pxelinux.cfg
netboot:~# touch /opt/vcrypt/boot/pxelinux.cfg/default
netboot:~# mcedit /opt/vcrypt/boot/pxelinux.cfg/default
DEFAULT vcrypt
TIMEOUT 30
PROMPT 1
LABEL vcrypt
KERNEL vmlinuz
APPEND root=/dev/nfs nfsroot=192.168.1.13:/opt/vcrypt/ initrd=initrd.img ip=192.168.1.14::192.168.1.1:255.255.255.0:
The meaning of this config: by default we load the vcrypt section, which indicates which kernel and ram disk to use, and that we have the root partition on the remote nfs server.
With the tftp and pxe settings we finished, now we will install and configure the nfs server.
netboot:~# apt-get install nfs-kernel-server nfs-common portmap
netboot:~# mcedit /etc/exports
/opt/vcrypt 192.168.1.14(rw,no_root_squash,async,no_subtree_check)
We indicate which directory and for whom we open access.
netboot:~# invoke-rc.d nfs-kernel-server reload
Reboot the nfs server so that it processes the new config.
Now it remains to install the system, which we will remotely download. The easiest option is to use the debootstrap utility.
netboot:~# apt-get install debootstrap
The installation process is as simple as five cents, we specify the architecture, the distribution kit, where to install it and the mirror (where to get the packages from).
netboot:~#debootstrap --arch i386 lenny /opt/vcrypt/ http://ftp.us.debian.org/debian
When the debootstrap is completed, the system in the / opt / vcrypt / folder will be almost ready for work.
Chroot the newly installed system
netboot:~# LANG=C chroot /opt/vcrypt/ /bin/bash
Set up the time zone, network and resolv, set the hostname and update the apt cache
netboot:/# nano /etc/default/rcS
TMPTIME=0
SULOGIN=no
DELAYLOGIN=no
UTC=no
VERBOSE=no
FSCKFIX=no
RAMRUN=no
RAMLOCK=no
netboot:/# dpkg-reconfigure tzdata
netboot:/# nano /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.14
netmask 255.255.255.0
gateway 192.168.1.1
netboot:/# nano /etc/resolv.conf
nameserver 192.168.1.1
netboot:/# echo cryptserv > /etc/hostname
netboot:/# apt-get update
Install and configure locales.
I chose only en_US.UTF8 and ru_RU.UTF8. For observance of full koshernost - default exhibited en_US.UTF8.
netboot:/# apt-get install locales
netboot:/# dpkg-reconfigure locales
Create a kernel installation configuration file and install the kernel
netboot:/# touch /etc/kernel-img.conf
netboot:/# nano /etc/kernel-img.conf
do_symlinks = yes
relative_links = yes
do_bootloader = no
do_bootfloppy = no
do_initrd = yes
link_in_boot = no
netboot:/# apt-get install linux-image-2.6.26-2-686
Configuring the initrd to boot over the network. I want to note that we perform all manipulations exclusively in the chroot system.
netboot:/boot# nano /etc/initramfs-tools/initramfs.conf
MODULES=netboot
BUSYBOX=y
KEYMAP=n
BOOT=nfs
DEVICE=eth0
NFSROOT=auto
We delete the old one and generate a new initrd, although it is possible to delete it in worker-peasant fashion:
rm /boot/initrd.img-`uname -r`
but since childhood I have disliked the rm command
netboot:/# update-initramfs -v -c -k `uname -r` -d
netboot:/# update-initramfs -v -c -k `uname -r`
Making symbolic links to the kernel and ramdisk
netboot:/# cd /boot
netboot:/boot# ln -s vmlinuz-2.6.26-2-686 vmlinuz
netboot:/boot# ln -s initrd.img-2.6.26-2-686 initrd.img
Install luks
netboot:/# apt-get install cryptsetup hashalot
Set root password and install ssh server
netboot:/# passwd
netboot:/# apt-get install openssh-server
After the above manipulation, the remote boot server is fully operational.
If the download is successful, then at 192.168.1.14 you will have a fully working server running sshd.
Login and encrypt encryption:
h1g@h1g-laptop:~$ ssh -l root 192.168.1.14
Fill the disk with random data to make it difficult to detect encrypted data.
You can also check for bad blocks, but this is up to you.
cryptserv:~# dd if=/dev/urandom of=/dev/sda
Create an encrypted partition (hard disk, media)
cryptserv:~# cryptsetup --verbose --verify-passphrase luksFormat /dev/sda
I hope you will use a pass phrase of at least 15 characters long, consisting of numbers and letters of different case.
Open the encrypted device and associate it with the virtual device / dev / mapper / vcrypt. Create a file system. Create a mount point
cryptserv:~# cryptsetup luksOpen /dev/sda vcrypt
cryptserv:~# mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/vcrypt
cryptserv:~# mkdir /home/crypt
cryptserv:~# mount /dev/mapper/vcrypt /home/crypt/
Next, install VirtualBox. To my deep regret, not Sun, Oracle VirtualBox
cryptserv:~# echo "deb http://download.virtualbox.org/virtualbox/debian lenny non-free" >> /etc/apt/sources.list
cryptserv:~# wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | apt-key add -
cryptserv:~# apt-get install virtualbox-3.2 cryptserv:~# echo "deb http://download.virtualbox.org/virtualbox/debian lenny non-free" >> /etc/apt/sources.list
cryptserv:~# wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | apt-key add -
cryptserv:~# apt-get install virtualbox-3.2 cryptserv:~# echo "deb http://download.virtualbox.org/virtualbox/debian lenny non-free" >> /etc/apt/sources.list
cryptserv:~# wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | apt-key add -
cryptserv:~# apt-get install virtualbox-3.2 cryptserv:~# echo "deb http://download.virtualbox.org/virtualbox/debian lenny non-free" >> /etc/apt/sources.list
cryptserv:~# wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | apt-key add -
cryptserv:~# apt-get install virtualbox-3.2
Create a container for the virtual machine. Let it be called Bender1 with a template for Win2k3 server
cryptserv:~# VBoxManage createvm --name bender1 --ostype Windows2003 —register
We allocate 1 GB of RAM to the container, set access to the network via the network bridge, enable the virtual rdp server on port 3389
cryptserv:~# VBoxManage modifyvm bender1 --memory 1024 --floppy disabled --audio none --nic1 bridged --bridgeadapter1 eth0 --vram 12 --accelerate3d off --boot1 disk --acpi on --cableconnected1 on --usb off --vrdp on --vrdpport 3389 --vtxvpid on
Create an IDE controller for our virtual machine
cryptserv:~# VBoxManage storagectl bender1 --name "IDE Controller" --add ide
Create a virtual hard disk of 20 GB and connect it to the controller
cryptserv:~# VBoxManage createhd --filename /home/crypt/bender1.vdi --size 20480 --register
cryptserv:~# VBoxManage storageattach bender1 --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium /home/crypt/bender1.vdi
We connect the legal installation DVD image to the controller.
cryptserv:~# VBoxManage storageattach bender1 --storagectl "IDE Controller" --port 1 --device 0 --type dvddrive —medium /home/crypt/some_legal_windows_image.iso
We expose the download from the legal DVD image
cryptserv:~# VBoxManage modifyvm bender1 --boot1 dvd
Now everything is ready to launch "Bender"
cryptserv:~# VBoxManage startvm bender1 --type vrdp
Connect to rdp server and enjoy the installation of a legal win2k3. The process of installing and configuring the win2k3 server to describe does not see the point.
h1g@h1g-laptop:~$ rdesktop -k en-us 192.168.1.14:3389
After a successful installation, we send a “shutdown” signal to “Bender”
cryptserv:~# VBoxManage controlvm bender1 acpipowerbutton
Switch to boot disk
cryptserv:~# VBoxManage modifyvm bender1 --boot1 disk
Sample scripts to enable and disable the virtual machine.
cryptserv:~# cat start_vm.sh
- #! / bin / bash
- / sbin / cryptsetup luksOpen / dev / sda vcrypt && mount / dev / mapper / vcrypt / home / crypt && / usr / bin / VBoxManage startvm bender1 - type vrdp
cryptserv:~# cat shutdown_vm.sh
- #! / bin / bash
- / usr / bin / VBoxManage controlvm bender1 acpipowerbutton
- while [`ps aux | grep " bender1 --startvm " | grep -v grep | wc -l` -ne 0 ]
- do
- echo "VM is poweroff. Wait plz"
- sleep 1
- done
- umount / home / crypt && / sbin / cryptsetup luksClose / dev / mapper / vcrype
Again, I repeat, here is an example of a basic system setup. No configuration of the firewall, binding of the tftp server to the mac of the server being loaded, sssh server, encryption of the “bootable system”, etc. are described.
Every administrator decides for himself.
Nobody limits the flight of your
Source: https://habr.com/ru/post/88385/
All Articles