Dream or paranoid again about encryption - 16 Марта 2011

Main » » Dream or paranoid again about encryption

11:36

Dream or paranoid again about encryption

In light of recent events with torrents.ru and enhance public gruppirovokorganov to combat piracy, I think many wondered how to protect yourself or your server in case if they come uninvited "guests." So I turned up the task to protect the local media server from attacks, having spent a couple of days for guglenniem and reading the manual / howto - I was able to implement it. I have to say, articles on encryption a lot, but mostly they are designed to encrypt only certain sections that were either obsolete / contain a lot of mistakes.

OBJECTIVES:

All the screw (screw) should be securely encrypted
The screws should be absolutely no breakdown, as if it were a new (or erased) screw
The OS must stand on encrypted partitions
You should be able to increase disk space by adding new screws
Download system without entering a key from the encrypted data

THEORY:

To start briefly explain the theory of how it would work: boot the system and the access key will be stored in a small (<50Mb) under the stick, when you turn on the loader unlock access to the encrypted screw, load the kernel, mount the virtual partitions (LVM), then is usually to boot.
The operating system was chosen Ububtu Server 9.10, but to realize this task can be on any UNIX-like system. Immediately make a reservation, in the installer has the ability to encrypt the system during installation, but there can not be implemented, paragraphs 1 and 2 from the list above because we act in the manual.

We need:

The image of Ubuntu Server 9.10
LiveCD distribution. I took the normal Ubuntu Desktop CD, because it can work with encrypted partitions out of the box.
USB Flash Drive that will be used to boot the system
Basic knowledge of * nix systems
Direct hands

STEP 1. Preparation of the stick and the hard drive

A) Breakdown of the stick into sections and create key

Connect the USB flash drive to a computer that will encrypt the screw and Boot from the LiveCD. Our task is to create on our flash drive 2 sections: the first will take almost all the space and will be formatted in FAT16, FAT32, NTFS (your choice), the second section we do at the end of the stick at 50MB and format in ext2. This breakdown is not accidental - thanks to the initial part of the flash drive will be fully functional in any OS. Also in the second section of windows will not be available - that is a plus, if your flash drive falls into the wrong hands. To create partitions, I used the graphical tool GParted (was on the LiveCD), but nobody prevents you to use fdisk. After creating the partition primontiruem them in the system: sudo su
mkdir / mnt / flash / mnt / boot
mount / dev/sdb1 / mnt / flash
mount / dev/sdb2 / mnt / boot
Now, create the key file with which we will encrypt the screw and make it a duplicate (just in case):
dd if = / dev / random of = / mnt / boot / mykey bs = 1 count = 256
cp / mnt / boot / mykey / mnt / flash /

B) Preparation of the screw to encrypt

To start, we need to score our screw completely random data. This is to ensure that it was impossible to determine which sectors are your data and how much space they take up roughly the entire screw open in HEX-editor, should look uniformly disconnected clogged garbage, regardless of the number of your information. There are 2 standard ways to do this, they are both slow, so please be patient.
First way. Random data is taken from psevdogeneratora random numbers and written on the screw blocks of 2MB. The rate of generation of data on Core Quad Q6600 was only 6Mb/sek, so that the test screw 80Gig filled for 4 hours.
Sudo dd if = / dev / urandom of = / dev / sda bs = 2M
The second way I personally have not tested since found since the preparation of the screw. It uses a checker screws on BAD-blocks. The rate of this method and the "quality" randomdannyh say I can not.
Sudo / sbin / badblocks-c 10240-s-w-t random-v / dev / sda

Now, when the disc is full, it is time to encrypt. For this we use technology LUKS.
sudo cryptsetup-h = sha256-c = aes-cbc-essiv: sha256-s = 256 luksFormat / dev / sda / mnt / boot / mykey
you will be warned the destruction of data, to confirm the need to write YES (in capital letters). Hooking up an encrypted disk:
sudo cryptsetup-d = / mnt / boot / mykey luksOpen / dev / sda drivespace
Enter password and get a new block device / dev / mapper / drivespace. Since the device can be obtained work as a conventional propeller.

B) Create a virtual partitioning (LVM)

You can create standard partitions and format them, but this method does not allow in the future to expand our parts (need to add new ones) so we use technology LVM. In short, it can at any time to add new screws into the pool and extend the logical partitions on the added space. My LiveCD booted without the required packages so make sure you install them, and then create from our decrypted screws physical partition and divide it into logical.
Sudo su
apt-get install lvm2
pvcreate / dev / mapper / drivespace
vgcreate vg / dev / mapper / drivespace
lvcreate-L1G-nswap vg
lvcreate-L3G-nroot vg
lvcreate-l 100% FREE-ndata vg
We now have 3 more block device / dev / mapper / vg-swap / dev / mapper / vg-root / dev / mapper / vg-data. formatting them in the correct PSI.
Sudo su
mkswap / dev / mapper / vg-swap
mkfs.ext4 / dev / mapper / vg-root
mkfs.xfs / dev / mapper / vg-data
Everything! Our bolt is ready to transfer the OS on it. To prepare the system, we need UUIDy screws and parts because they keep a file on a flash drive
ls-l / dev / disk / by-uuid> / mnt / flash / uuid.txt

STEP 2. Preparing the operating system

A) Installation of the system

Set our OS to either a single screw or a second computer (virt. machine). Before you install the plug our USB flash drive. Installation is best done in a minimal configuration, choose the settings to suit your needs. The only important point - you need to specify that the / boot installed on the second section of the stick right away (so you do not move) and make sure that the boot loader Grub is put on the stick.

B) Installation of additional packages, change settings

After the installation is complete, we need to add the packages on your system to support encryption and LVM and tweak some configs. Install the package (when connected to an Internet):
sudo apt-get-y install cryptsetup lvm2 config Edit the GRUB. In Ubuntu use GRUB2, because Edit the / boot / grub / grub.cfg. We are looking for menuentry «Ubuntu, Linux 2.6.31-14-server» and just below me
linux / vmlinuz-2.6.31-14-server root = UUID = 9a651089-88fa-46d6 -b547-38d3e10d4e67 ro quiet splash
at
linux / vmlinuz-2.6.31-14-server root = / dev / mapper / vg-root ro quiet splash
Edit the / etc / fstab
proc / proc proc defaults 0 0
UUID = eb7f5e37-b957-43dd-8af6-3c8983670df5 / boot ext2 defaults 0 2
/ dev / mapper / vg-root / ext4 errors = remount-ro 0 1
/ dev / mapper / vg-data / home xfs defaults 0 1
/ dev / mapper / vg-swap none swap sw 0 0
For the / boot mount point is specified as a UUID the second section of the stick (you can take a file on a flash drive or look again at the system), it is necessary that the system should always be mounted the correct partition, regardless of the number of connected flash drives / screws.
Rules / etc / crypttab
drivespace UUID = 090d14c1-e3c8-48e7-b123-6d9b8b2e502b / boot / mykey luks, cipher = aes-cbc-essiv: sha256
then specify the UUID of our encrypted screw (look at it in a file on a flash drive)

B) Change initrd

Prepare the initrd to work with encryption and LVM. The file / etc / initramfs-tools / modules add:
dm_mod
dm_crypt
sha256
aes_generic
Create a file / etc / initramfs-tools / hooks / cryptokeys with this script:
PREREQ = ""

prereqs ()
{
echo "$ PREREQ"
}

case $ 1 in
prereqs)
prereqs
exit 0
;;
esac

if [! -X / sbin / cryptsetup]; then
exit 0
fi

. / usr / share / initramfs-tools / hook-functions
mkdir $ {DESTDIR} / etc / console
cp / boot / mykey $ {DESTDIR} / etc / console
copy_exec / sbin / cryptsetup / sbin

It copies our key file in an unusual place in the initrd, to once again flash drive not mounting . Create a file / etc / initramfs-tools / scripts / local-top / cryptokeys with the script:
PREREQ = "udev"

prereqs ()
{
echo "$ PREREQ"
}

case $ 1 in
# get pre-requisites
prereqs)
prereqs
exit 0
; ;
esac
modprobe-b dm_crypt
modprobe-b aes_generic
modprobe-b sha256

while! / Sbin / cryptsetup-d = / etc / console / mykey luksOpen / dev/disk/by-uuid/090d14c1-e3c8-48e7-b123-6d9b8b2e502b drivespace; do
echo "Try again ..."
Done
He was executed during the boot initrd, load the correct kernel modules, and will try to open our encrypted screw with UUID = 090d14c1-e3c8-48e7-b123-6d9b8b2e502b. (The cycle was made for the case of a passphrase instead of key). You need to write here a UUID from the encrypted screw.
Now execute:
sudo update-initramfs-u ALL

F) Packaging system for transfer of

assemble our section of the root fs to a separate folder and will pack on the first section of the stick:
mkdir / mnt / root & & mount / dev/sda1 / mnt / root & & cd / mnt / root
tar cfjv / mnt/flash/systembackup.tar.bz2. # DO NOT MISS OUT point at the end rows
Now you can transfer system.

STEP 3. Transferring the system

Everything is simple: connect a USB flash drive with our backup, to boot from a LiveCD, connect encrypted screw, install the package of support LVM, a virtual mount the root partition (probably first have to run vgscan vgmknodes and saw that the system partitions), install the USB flash drive and unpack the archive with the system.
Sudo su
cryptsetup-d = / mnt / boot / mykey luksOpen / dev/disk/by-uuid/090d14c1-e3c8-48e7-b123-6d9b8b2e502b drivespace
apt-get install lvm2
# vgscan & & vgchange-ay & & vgmknodes vg # executed if the system did not see the virtual partitions
mkdir / mnt / root
mount / dev / mapper / vg-root / mnt / root
mkdir / mnt / flash
mount / dev/sdb1 / mnt / flash
cp / mnt / flash / systembackup.tar.gz / mnt / root & & cd / mnt / root # transfer files to the screw for acceleration unpack
tar xfvj systembackup.tar.bz2

Well, that's all, restart your computer and Boot with flash. If done correctly, then after a few seconds you see the words Key slot 0 unlocked, then your screw deciphered and connected, then go a standard boot.

Notes, sources

In the case of a home computer, such a system allows you to securely protect their personal information and will not allow anyone to use a computer without your knowledge (without flash) in the event of a server in the organization, if you come up with check - pulled out a stick and jabbed reset and experts you have a non / new computer, a server at the hosting company I would have complicated the system and kept the key somewhere on the network, if the server is unplugged and taken away, it does not boot without Ineta (and you need to quickly remove access to the key - to no load).

If you have everything worked the first time, then you can safely delete all files with the first section of the stick.

Be sure to make a copy of your key, so as not to lose access to their data. Also a good idea to add a second key as the password (how to do this, please read the documentation for LUKS / cryptsetup). Organization of fault-tolerant storage based on RAID1, 5,6 and will not excess storage of valuable disk imaging.

When you set up this whole system I initially modeled it on a virtual machine, and only then transferred to a real computer. Still would love to know the opinion of lawyers (preferably from the Ukraine) on account of provability of guilt in distributing pirated content, if the experts can not get to the information (which is impossible without a key), but find that the screw is encrypted.

LUKS Simple
LVM
EncryptedFilesystemHowto5 - the most useful of the articles I found, almost everything was done on it.
UPD corrected the command encryption screw. Thanks for your note ITpower

Views: 611 | Added by: w1zard | Rating: 0.0/0

Total comments: 0


Имя *:
Email *:

Код *: