Crypted disks with remote key placed on http server

June 7th, 2009 | Tags: , , , , ,

This page contains few information how to create crypted disk using dm_crypt, lvm, gpg with remote key stored on http server.
The advantage is to have key, used for unlocking crypted disk(s), somewhere on the server instead have it on USB.

* You can easily delete this key if your disks are stolen and nobody can access them any longer…
* If you use USB stick to save key then you need to have it connected to the machine with the cyphered disks every reboot – usually it will be plugged all the time to the server which destroy all security.
* Keys are downloaded automatically every reboot from remote HTTP server (if not your disks will remain locked)

All commands were tested on Debian and should be also applicable on other distributions.

Remote server side

Generate a new key pair:

gpg --gen-key

List the keys and write down the secret key ID (9BB7698A):

gpg --list-keys

pub   1024D/9BB7698A 2009-06-07
uid                  test_name (test_comment)
sub   2048g/A0DA1037 2009-06-07

Export private key and save it somewhere “public” temporary…

gpg --verbose --export-options export-attributes,export-sensitive-revkeys --export-secret-keys 9BB7698A > ~/public_html/secret.key

Generate random key and encrypt it by previously generated private key. That will be the key used for dm-crypt:

head -c 256 /dev/urandom | gpg --batch --passphrase test --verbose --throw-keyids --local-user 9BB7698A --sign --yes --cipher-algo AES256 --encrypt --hidden-recipient 9BB7698A --no-encrypt-to --output ~/public_html/abcd.html -

Client side (where the data will be crypted)

Login to the machine where you want to crypt your data.

Create lvm volume:

#lvremove -f lvdata
#vgremove -f vgdata
pvcreate -ff -v /dev/hda2 /dev/hdb1
vgcreate -v -s 16 vgdata /dev/hda2 /dev/hdb1
lvcreate -v -l 100%FREE vgdata -n lvdata

Import secret private key from the http server (don’t forget to remove secret.key from the server after this) and then download and decrypt the cipher key for dm-crypt [/mykey]:

#gpg --yes --delete-secret-keys 9BB7698A
#gpg --yes --batch --delete-keys 9BB7698A
wget -O - | gpg --import -
wget -O - | gpg --quiet --passphrase test --batch --decrypt > /mykey

Encrypt the lvm [vgdata-lvdata] using [/mykey]:

cryptsetup -s 512 -c aes-xts-plain luksFormat /dev/mapper/vgdata-lvdata /mykey

Add the dm-crypt key [/mykey] to the “LUKS”

cryptsetup --key-file=/mykey luksOpen /dev/mapper/vgdata-lvdata vgdata-lvdata_crypt

Format opened LUKS and copy there some data:

mkfs.ext3 /dev/mapper/vgdata-lvdata_crypt
mount /dev/mapper/vgdata-lvdata_crypt /mnt
cp /etc/* /mnt/
umount /mnt
cryptsetup luksClose vgdata-lvdata_crypt
rm /mykey

Now we have to create a short script [/script] which will download the key from remote server and decrypt it using imported secret key by GPG and display it on the screen:

/usr/bin/wget --quiet -O - | /usr/bin/gpg --quiet --homedir /root/.gnupg --quiet --passphrase xxxx --batch --decrypt 2>/dev/null

We should not forget to mount our crypted filesystem after boot [/etc/rc.local]:

echo "Mounting crypted file system in 5 seconds..."
sleep 5
cryptdisks_start vgdata-lvdata_crypt
mount /mnt

Another necessary thing needs to be done – putting the right information to [/etc/crypttab]:

vgdata-lvdata_crypt     /dev/mapper/vgdata-lvdata       none noauto,cipher=aes-xts-plain,size=512,luks,tries=1,checkargs=ext2,keyscript=/script

We don’t want to mount crypted filesystem with others, because the network is not ready that time [/etc/fstab]:

/dev/mapper/vgdata-lvdata_crypt /mnt    ext3    noauto,rw,exec,async,noatime,nocheck,data=writeback    0       0

This is definitively not the best how to secure your data, but it’s better than nothing.

Feel free to combine this method with keys stored on on USB drive.

VN:F [1.9.20_1166]
Rating: 10.0/10 (2 votes cast)
Crypted disks with remote key placed on http server, 10.0 out of 10 based on 2 ratings
No comments yet.