Crypted disks with remote key placed on http server
This page contains few information how to create crypted disk using dm_crypt, lvm, gpg with remote key stored on http server.
The advantage is to have key, used for unlocking crypted disk(s), somewhere on the server instead have it on USB.
* You can easily delete this key if your disks are stolen and nobody can access them any longer…
* If you use USB stick to save key then you need to have it connected to the machine with the cyphered disks every reboot – usually it will be plugged all the time to the server which destroy all security.
* Keys are downloaded automatically every reboot from remote HTTP server (if not your disks will remain locked)
All commands were tested on Debian and should be also applicable on other distributions.
Remote server side
Generate a new key pair:
List the keys and write down the secret key ID (9BB7698A):
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/9BB7698A 2009-06-07
uid test_name (test_comment) test@xvx.cz
sub 2048g/A0DA1037 2009-06-07
Export private key and save it somewhere “public” temporary…
Generate random key and encrypt it by previously generated private key. That will be the key used for dm-crypt:
Client side (where the data will be crypted)
Login to the machine where you want to crypt your data.
Create lvm volume:
#vgremove -f vgdata
pvcreate -ff -v /dev/hda2 /dev/hdb1
vgcreate -v -s 16 vgdata /dev/hda2 /dev/hdb1
lvcreate -v -l 100%FREE vgdata -n lvdata
Import secret private key from the http server (don’t forget to remove secret.key from the server after this) and then download and decrypt the cipher key for dm-crypt [/mykey]:
#gpg --yes --batch --delete-keys 9BB7698A
wget https://10.0.2.2/~ruzickap/secret.key -O - | gpg --import -
wget https://10.0.2.2/~ruzickap/abcd.html -O - | gpg --quiet --passphrase test --batch --decrypt > /mykey
Encrypt the lvm [vgdata-lvdata] using [/mykey]:
Add the dm-crypt key [/mykey] to the “LUKS”
Format opened LUKS and copy there some data:
mount /dev/mapper/vgdata-lvdata_crypt /mnt
cp /etc/* /mnt/
umount /mnt
cryptsetup luksClose vgdata-lvdata_crypt
rm /mykey
Now we have to create a short script [/script] which will download the key from remote server and decrypt it using imported secret key by GPG and display it on the screen:
/usr/bin/wget --quiet https://10.0.2.2/~ruzickap/abcd.html -O - | /usr/bin/gpg --quiet --homedir /root/.gnupg --quiet --passphrase xxxx --batch --decrypt 2>/dev/null
We should not forget to mount our crypted filesystem after boot [/etc/rc.local]:
sleep 5
cryptdisks_start vgdata-lvdata_crypt
mount /mnt
Another necessary thing needs to be done – putting the right information to [/etc/crypttab]:
We don’t want to mount crypted filesystem with others, because the network is not ready that time [/etc/fstab]:
This is definitively not the best how to secure your data, but it’s better than nothing.
Feel free to combine this method with keys stored on on USB drive.