Paranoid dream or Encryption again
In the light of recent events with torrents.ru and the revitalization of state groups of anti-piracy bodies, I think many have thought about how to protect themselves or their server in case unexpected "guests" arrive. So I turned up the task of protecting the local media server from attacks, having spent a couple of days following Google and reading manuals / howto - I managed to do this. I will say right away, there are a lot of articles on encryption, but basically they are designed to encrypt only certain sections, or they are outdated / contain many errors.
To begin with, I will briefly explain the theory of how it will all work: the system loader and access key will be stored on a small (<50Mb) flash drive partition, when turned on, the bootloader unlocks access to the encrypted screw, loads the kernel, connects virtual partitions (LVM), then the normal boot occurs system.
Ububtu Server 9.10 was chosen as the operating system, but this task can be implemented on any UNIX-like system. Immediately make a reservation, in the installer there is the ability to encrypt the system during the installation phase, but points 1 and 2 from the list above cannot be implemented here, so we’ll act manually.
- ( ):
. 2MB. Core Quad Q6600 6Mb/, 80 4 .
. BAD-. «» .
, , . LUKS.
, YES( ). :
/dev/mapper/drivespace. .
3 /dev/mapper/vg-swap /dev/mapper/vg-root /dev/mapper/vg-data. .
! . UUID
/etc/fstab
/boot UUID ( ), /.
/etc/crypttab
UUID ( )
/etc/initramfs-tools/hooks/cryptokeys :
- initrd, . /etc/initramfs-tools/scripts/local-top/cryptokeys :
initrd, UUID=090d14c1-e3c8-48e7-b123-6d9b8b2e502b. ( ). UUID .
:
.
: , LiveCD, , LVM, ( vgscan vgmknodes ), .
, . , Key slot 0 unlocked, , .
( ); , — reset / ; - , , ( — ).
, .
, . ( LUKS/cryptsetup). RAID1,5,6 .
, . ( ) , ( ), .
LUKS
LVM
EncryptedFilesystemHowto5 — , .
UPD . ITpower
GOALS:
- All screws (s) must be securely encrypted.
- There should be absolutely no breakdown on the screws, as if this is a new (or erased) screw.
- OS should stand on encrypted partitions
- It should be possible to increase disk space by adding new screws.
- System boot without entering encrypted data key
THEORY:
To begin with, I will briefly explain the theory of how it will all work: the system loader and access key will be stored on a small (<50Mb) flash drive partition, when turned on, the bootloader unlocks access to the encrypted screw, loads the kernel, connects virtual partitions (LVM), then the normal boot occurs system.
Ububtu Server 9.10 was chosen as the operating system, but this task can be implemented on any UNIX-like system. Immediately make a reservation, in the installer there is the ability to encrypt the system during the installation phase, but points 1 and 2 from the list above cannot be implemented here, so we’ll act manually.
We will need:
- Ubuntu Server 9.10 image
- LiveCD distribution. I took the usual Ubuntu Desktop CD, as it can work with encrypted sections out of the box.
- The flash drive that will be used to boot the system
- Basic knowledge of * nix systems
- Straight arms
STAGE 1. Preparing the flash drive and hard disk.
A) Breakdown of the flash drive into sections and key creation
We connect the USB flash drive to the computer on which the screw will be encrypted and boot from the LiveCD. Our task is to create 2 partitions on our flash drive: the first one will take up almost the entire space and will be formatted in FAT16, FAT32, NTFS (your choice), the second section will be done at the end of the flash drive with 50MB and formatted in ext2. Such a breakdown is not accidental - thanks to the initial partition, the flash drive will be fully functional in any OS. Also in windows the second section will be unavailable - which is a plus if your flash drive falls into the wrong hands. To create partitions, I used the graphical utility GParted (was on the LiveCD), but no one bothers you to use fdisk. After creating partitions, mount them in the system:sudo su
mkdir /mnt/flash /mnt/boot
mount /dev/sdb1 /mnt/flash
mount /dev/sdb2 /mnt/boot- ( ):
dd if=/dev/random of=/mnt/boot/mykey bs=1 count=256
cp /mnt/boot/mykey /mnt/flash/)
. , HEX-, , . 2 , , .. 2MB. Core Quad Q6600 6Mb/, 80 4 .
sudo dd if=/dev/urandom of=/dev/sda bs=2M. BAD-. «» .
sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda, , . LUKS.
sudo cryptsetup -h=sha256 -c=aes-cbc-essiv:sha256 -s=256 luksFormat /dev/sda /mnt/boot/mykey, YES( ). :
sudo cryptsetup -d=/mnt/boot/mykey luksOpen /dev/sda drivespace/dev/mapper/drivespace. .
) (LVM)
, ( ) LVM. . LiveCD , .sudo su
apt-get install lvm2
pvcreate /dev/mapper/drivespace
vgcreate vg /dev/mapper/drivespace
lvcreate -L1G -nswap vg
lvcreate -L3G -nroot vg
lvcreate -l 100%FREE -ndata vg3 /dev/mapper/vg-swap /dev/mapper/vg-root /dev/mapper/vg-data. .
sudo su
mkswap /dev/mapper/vg-swap
mkfs.ext4 /dev/mapper/vg-root
mkfs.xfs /dev/mapper/vg-data! . UUID
ls -l /dev/disk/by-uuid >/mnt/flash/uuid.txt2.
)
, (. ). . , . — /boot ( ) Grub .) ,
LVM . ( ):sudo apt-get -y install cryptsetup lvm2linux /vmlinuz-2.6.31-14-server root=UUID=9a651089-88fa-46d6-b547-38d3e10d4e67 ro quiet splashlinux /vmlinuz-2.6.31-14-server root=/dev/mapper/vg-root ro quiet splash/etc/fstab
proc /proc proc defaults 0 0
UUID=eb7f5e37-b957-43dd-8af6-3c8983670df5 /boot ext2 defaults 0 2
/dev/mapper/vg-root / ext4 errors=remount-ro 0 1
/dev/mapper/vg-data /home xfs defaults 0 1
/dev/mapper/vg-swap none swap sw 0 0/boot UUID ( ), /.
/etc/crypttab
drivespace UUID=090d14c1-e3c8-48e7-b123-6d9b8b2e502b /boot/mykey luks,cipher=aes-cbc-essiv:sha256UUID ( )
) initrd
initrd LVM. /etc/initramfs-tools/modules :dm_mod
dm_crypt
sha256
aes_generic/etc/initramfs-tools/hooks/cryptokeys :
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
if [ ! -x /sbin/cryptsetup ]; then
exit 0
fi
. /usr/share/initramfs-tools/hook-functions
mkdir ${DESTDIR}/etc/console
cp /boot/mykey ${DESTDIR}/etc/console
copy_exec /sbin/cryptsetup /sbin
- initrd, . /etc/initramfs-tools/scripts/local-top/cryptokeys :
PREREQ="udev"
prereqs()
{
echo "$PREREQ"
}
case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac
modprobe -b dm_crypt
modprobe -b aes_generic
modprobe -b sha256
while ! /sbin/cryptsetup -d=/etc/console/mykey luksOpen /dev/disk/by-uuid/090d14c1-e3c8-48e7-b123-6d9b8b2e502b drivespace; do
echo "Try again..."
doneinitrd, UUID=090d14c1-e3c8-48e7-b123-6d9b8b2e502b. ( ). UUID .
:
sudo chmod +x /etc/initramfs-tools/hooks/cryptokeys
sudo chmod +x /etc/initramfs-tools/scripts/local-top/cryptokeys
sudo update-initramfs -u -k all)
:mkdir /mnt/root && mount /dev/sda1 /mnt/root && cd /mnt/root
tar cfjv /mnt/flash/systembackup.tar.bz2 . # .
3.
: , LiveCD, , LVM, ( vgscan vgmknodes ), .
sudo su
mkdir /mnt/flash
mount /dev/sdb1 /mnt/flash
cryptsetup -d=/mnt/flash/mykey luksOpen /dev/disk/by-uuid/090d14c1-e3c8-48e7-b123-6d9b8b2e502b drivespace
apt-get install lvm2
#vgscan && vgchange -a y && vgmknodes vg #
mkdir /mnt/root
mount /dev/mapper/vg-root /mnt/root
mkdir /mnt/root/home
mount /dev/mapper/vg-home /mnt/root/home
cp /mnt/flash/systembackup.tar.bz2 /mnt/root && cd /mnt/root # ,
tar xfvj systembackup.tar.bz2
, . , Key slot 0 unlocked, , .
,
( ); , — reset / ; - , , ( — ).
, .
, . ( LUKS/cryptsetup). RAID1,5,6 .
, . ( ) , ( ), .
LUKS
LVM
EncryptedFilesystemHowto5 — , .
UPD . ITpower
')
Source: https://habr.com/ru/post/91948/
All Articles