📜 ⬆️ ⬇️

Linux Data Encryption

This article describes one of the options for encrypting data in Linux.

The article does not claim to truism and does not reveal anything new.
The idea is described and an example of its implementation is shown.
Actually, the main idea:
When equipment is removed (thieves) (the hard drive, or the computer as a whole), the ability to obtain any information should be completely absent. Ie, the attacker should not receive any information at all, any information carrier should be completely encrypted.
Options with bootable flash drives were immediately rejected for ideological reasons, since it is not always possible to quickly disable it.
As a result, the scheme was chosen with network boot.
Task:
Provide data encryption located on the Windows server.
Example of implementation:
1. We perform network booting (pxe + nfs)
2. Run sshd and wait for the encrypted partitions to be mounted.
3. Through ssh we mount cryptic partitions
4. We start the VirtualBox virtual machine with Windows onboard
Initial data:
Network: 192.168.1.0/24
The main gateway: 192.168.1.1
DNS: 192.168.1.1
Remote boot server: 192.168.1.13 (boot server)
Server with encrypted data: 192.168.1.14 (loadable server)

Everything described below will happen on a server with Debian Lenny preinstalled.

We set up and configure dhcp server for network boot.
')
netboot:~# apt-get install dhcp3-server
netboot:~# mcedit /etc/dhcp3/dhcpd.conf

option domain-name-servers 192.168.1.1;
default-lease-time 86400;
max-lease-time 604800;
authoritative;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.20 192.168.1.60;
filename "pxelinux.0";
next-server 192.168.1.13;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
}


Next, install and configure the tftp server.

netboot:~# apt-get install tftpd-hpa
netboot:~# mcedit etc/default/tftpd-hpa

RUN_DAEMON="yes"
OPTIONS="-l -s /opt/vcrypt/boot"


For network booting we need the pxelinux.0 file from the syslinux package
Install the syslinux package. And customize pxe.

netboot:~# apt-get install syslinux
netboot:~# mkdir -p /opt/vcrypt/boot
netboot:~# cp /usr/lib/syslinux/pxelinux.0 /opt/vcrypt/boot/
netboot:~# mkdir /opt/vcrypt/boot/pxelinux.cfg
netboot:~# touch /opt/vcrypt/boot/pxelinux.cfg/default
netboot:~# mcedit /opt/vcrypt/boot/pxelinux.cfg/default

DEFAULT vcrypt
TIMEOUT 30
PROMPT 1
LABEL vcrypt
KERNEL vmlinuz
APPEND root=/dev/nfs nfsroot=192.168.1.13:/opt/vcrypt/ initrd=initrd.img ip=192.168.1.14::192.168.1.1:255.255.255.0:


The meaning of this config: by default we load the vcrypt section, which indicates which kernel and ram disk to use, and that we have the root partition on the remote nfs server.

With the tftp and pxe settings we finished, now we will install and configure the nfs server.

netboot:~# apt-get install nfs-kernel-server nfs-common portmap
netboot:~# mcedit /etc/exports

/opt/vcrypt 192.168.1.14(rw,no_root_squash,async,no_subtree_check)


We indicate which directory and for whom we open access.

netboot:~# invoke-rc.d nfs-kernel-server reload

Reboot the nfs server so that it processes the new config.

Now it remains to install the system, which we will remotely download. The easiest option is to use the debootstrap utility.

netboot:~# apt-get install debootstrap

The installation process is as simple as five cents, we specify the architecture, the distribution kit, where to install it and the mirror (where to get the packages from).

 netboot:~#debootstrap --arch i386 lenny /opt/vcrypt/ http://ftp.us.debian.org/debian 


When the debootstrap is completed, the system in the / opt / vcrypt / folder will be almost ready for work.

Chroot the newly installed system
netboot:~# LANG=C chroot /opt/vcrypt/ /bin/bash

Set up the time zone, network and resolv, set the hostname and update the apt cache

netboot:/# nano /etc/default/rcS

TMPTIME=0
SULOGIN=no
DELAYLOGIN=no
UTC=no
VERBOSE=no
FSCKFIX=no
RAMRUN=no
RAMLOCK=no

netboot:/# dpkg-reconfigure tzdata
netboot:/# nano /etc/network/interfaces

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.14
netmask 255.255.255.0
gateway 192.168.1.1

netboot:/# nano /etc/resolv.conf

nameserver 192.168.1.1

netboot:/# echo cryptserv > /etc/hostname
netboot:/# apt-get update


Install and configure locales.
I chose only en_US.UTF8 and ru_RU.UTF8. For observance of full koshernost - default exhibited en_US.UTF8.

netboot:/# apt-get install locales
netboot:/# dpkg-reconfigure locales


Create a kernel installation configuration file and install the kernel

netboot:/# touch /etc/kernel-img.conf
netboot:/# nano /etc/kernel-img.conf

do_symlinks = yes
relative_links = yes
do_bootloader = no
do_bootfloppy = no
do_initrd = yes
link_in_boot = no

netboot:/# apt-get install linux-image-2.6.26-2-686


Configuring the initrd to boot over the network. I want to note that we perform all manipulations exclusively in the chroot system.

netboot:/boot# nano /etc/initramfs-tools/initramfs.conf

MODULES=netboot
BUSYBOX=y
KEYMAP=n
BOOT=nfs
DEVICE=eth0
NFSROOT=auto


We delete the old one and generate a new initrd, although it is possible to delete it in worker-peasant fashion:
rm /boot/initrd.img-`uname -r`
but since childhood I have disliked the rm command

netboot:/# update-initramfs -v -c -k `uname -r` -d
netboot:/# update-initramfs -v -c -k `uname -r`


Making symbolic links to the kernel and ramdisk

netboot:/# cd /boot
netboot:/boot# ln -s vmlinuz-2.6.26-2-686 vmlinuz
netboot:/boot# ln -s initrd.img-2.6.26-2-686 initrd.img


Install luks

netboot:/# apt-get install cryptsetup hashalot

Set root password and install ssh server

netboot:/# passwd
netboot:/# apt-get install openssh-server


After the above manipulation, the remote boot server is fully operational.

If the download is successful, then at 192.168.1.14 you will have a fully working server running sshd.

Login and encrypt encryption:

h1g@h1g-laptop:~$ ssh -l root 192.168.1.14

Fill the disk with random data to make it difficult to detect encrypted data.
You can also check for bad blocks, but this is up to you.

cryptserv:~# dd if=/dev/urandom of=/dev/sda

Create an encrypted partition (hard disk, media)

cryptserv:~# cryptsetup --verbose --verify-passphrase luksFormat /dev/sda

I hope you will use a pass phrase of at least 15 characters long, consisting of numbers and letters of different case.

Open the encrypted device and associate it with the virtual device / dev / mapper / vcrypt. Create a file system. Create a mount point

cryptserv:~# cryptsetup luksOpen /dev/sda vcrypt
cryptserv:~# mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/vcrypt
cryptserv:~# mkdir /home/crypt
cryptserv:~# mount /dev/mapper/vcrypt /home/crypt/


Next, install VirtualBox. To my deep regret, not Sun, Oracle VirtualBox

 cryptserv:~# echo "deb http://download.virtualbox.org/virtualbox/debian lenny non-free" >> /etc/apt/sources.list 
cryptserv:~# wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | apt-key add -
cryptserv:~# apt-get install virtualbox-3.2
cryptserv:~# echo "deb http://download.virtualbox.org/virtualbox/debian lenny non-free" >> /etc/apt/sources.list
cryptserv:~# wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | apt-key add -
cryptserv:~# apt-get install virtualbox-3.2
 cryptserv:~# echo "deb http://download.virtualbox.org/virtualbox/debian lenny non-free" >> /etc/apt/sources.list 
cryptserv:~# wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | apt-key add -
cryptserv:~# apt-get install virtualbox-3.2
cryptserv:~# echo "deb http://download.virtualbox.org/virtualbox/debian lenny non-free" >> /etc/apt/sources.list
cryptserv:~# wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | apt-key add -
cryptserv:~# apt-get install virtualbox-3.2


Create a container for the virtual machine. Let it be called Bender1 with a template for Win2k3 server

cryptserv:~# VBoxManage createvm --name bender1 --ostype Windows2003 —register

We allocate 1 GB of RAM to the container, set access to the network via the network bridge, enable the virtual rdp server on port 3389

cryptserv:~# VBoxManage modifyvm bender1 --memory 1024 --floppy disabled --audio none --nic1 bridged --bridgeadapter1 eth0 --vram 12 --accelerate3d off --boot1 disk --acpi on --cableconnected1 on --usb off --vrdp on --vrdpport 3389 --vtxvpid on

Create an IDE controller for our virtual machine

cryptserv:~# VBoxManage storagectl bender1 --name "IDE Controller" --add ide

Create a virtual hard disk of 20 GB and connect it to the controller

cryptserv:~# VBoxManage createhd --filename /home/crypt/bender1.vdi --size 20480 --register
cryptserv:~# VBoxManage storageattach bender1 --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium /home/crypt/bender1.vdi


We connect the legal installation DVD image to the controller.

cryptserv:~# VBoxManage storageattach bender1 --storagectl "IDE Controller" --port 1 --device 0 --type dvddrive —medium /home/crypt/some_legal_windows_image.iso

We expose the download from the legal DVD image

cryptserv:~# VBoxManage modifyvm bender1 --boot1 dvd

Now everything is ready to launch "Bender"

cryptserv:~# VBoxManage startvm bender1 --type vrdp

Connect to rdp server and enjoy the installation of a legal win2k3. The process of installing and configuring the win2k3 server to describe does not see the point.

h1g@h1g-laptop:~$ rdesktop -k en-us 192.168.1.14:3389

After a successful installation, we send a “shutdown” signal to “Bender”

cryptserv:~# VBoxManage controlvm bender1 acpipowerbutton

Switch to boot disk

cryptserv:~# VBoxManage modifyvm bender1 --boot1 disk

Sample scripts to enable and disable the virtual machine.

cryptserv:~# cat start_vm.sh
  1. #! / bin / bash
  2. / sbin / cryptsetup luksOpen / dev / sda vcrypt && mount / dev / mapper / vcrypt / home / crypt && / usr / bin / VBoxManage startvm bender1 - type vrdp


cryptserv:~# cat shutdown_vm.sh
  1. #! / bin / bash
  2. / usr / bin / VBoxManage controlvm bender1 acpipowerbutton
  3. while [`ps aux | grep " bender1 --startvm " | grep -v grep | wc -l` -ne 0 ]
  4. do
  5. echo "VM is poweroff. Wait plz"
  6. sleep 1
  7. done
  8. umount / home / crypt && / sbin / cryptsetup luksClose / dev / mapper / vcrype


Again, I repeat, here is an example of a basic system setup. No configuration of the firewall, binding of the tftp server to the mac of the server being loaded, sssh server, encryption of the “bootable system”, etc. are described.
Every administrator decides for himself.
Nobody limits the flight of your paranoia of fantasy, but you need to remember that not all drugs are equally useful.

Source: https://habr.com/ru/post/88385/


All Articles