Announcement

Collapse
No announcement yet.

Vivid Encryption Setup

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Vivid Encryption Setup

    (Rewrite of original post).

    As I said here, I am trying to create a certain specific solution for a cryptsetup partitioning scheme.

    My goal is to have 2 different OSes, both Linux, one of which is what they euphemistically call a penetration testing distribution -- common slang for "hackers" ;-).

    The idea is to have a main system that is visible in GRUB, and ideally a different system that becomes available after entering a first password -- or alternative means of supply e.g. a keyfile.

    Especially for the idea of having a headless server, such a separate (e.g. USB supplied) keyfile or passphrase becomes mandatory for booting.

    And in the absence of that, it needs to be some kind of SSH or similar authentication mechanism with a BusyBox / Dropbear thing.

    But for now:

    - two volume groups, each volume group containing a root fs and a swap. Then a 3rd ideally also hidden (within one of the volume groups) data partition.

    Complete security is not a necessity and it is also a testing thing to see what is possible and how it is done.

    The idea then becomes to have a /boot partition that is not encrypted. But I'm not even sure, because of how GRUB operates and how it can perhaps also unlock encrypted root filesystems by itself.

    You would think then: the boot information gives access to a single 'root unlock' but it should or could chainload into a different GRUB residing on one of the encrypted partitions. Perhaps it is not more difficult than to have a MBR grub unlocking the primary root, and a different grub on the primary root giving access to something else. However, the most ideal situation is to have different passwords unlocking different systems.

    Currently when I install a default Kubuntu (15.04, 14.10, it makes no difference) it puts two volumes in the /etc/crypttab, one for sda5_crypt, and one for an encrypted swap. Then in fstab, the devices that are mapped from those get mounted as / and used as swap.

    I do not yet know how this mapping is configured, have to look into dmsetup I guess.

    The main idea currently in any case is to have two volume groups based on an encrypted logical partition, or perhaps two volume groups containing one encrypted partition (with password) and the other (swap) as /dev/urandom.

    When using the Server installer manual setup, it doesn't really do that thing with the swap, but you can set it to not need a password (random key). I also found that you can prevent (in crypttab) volumes from being auto-mounted, or from failing or blocking the boot process should they not get mounted straight away.

    It should also be possible to let it remember the passwords you enter for other volumes, but when I tried this (with a Server install) the system became ..rather unstable. Even the rescue option / screen (where you get a little menu with about 6 options) would just freeze. That was about using keyscript=decrypt_keyctl in /etc/crypttab. Rather unreliable?

    So right now I am wondering whether I can do resizings in the current volume group to resize the root volume, and I also wonder whether I can change the names of the mapper devices. Make it more to my liking. But I don't know how and when they are added, and where they are configured. I know I can manually remove them and probably also renew them. But currently they don't show up in the (currently mounted) root filesystem (from this live session still).

    In any case, that is my progress thus far. If I can resize the volumes later on, I can easily add new encrypted partitions to my own liking. The only ....annoyance I have is with the UUIDs, because I don't know how they work yet.

    At least I learned a few commands:

    Code:
    blkid
    lvdisplay
    ls -l /dev/disk/by-uuid
    It seems easy enough now to change the names of the volume group, their paths, and the name of the volumes themselves.

    Then what is left is to resize an encrypted ext4 partition, but that might be hard. In any case it seems like the /sda5 is encrypted as a whole. Which is kinda weird considering that... there are two swaps defined. One comes from sda5 -> sda5_crypt. Within sda5_crypt there is a swap partition. Since this is by itself an unencrypted volume, there is nothing defined for it in terms of LUKS. But there is also an additional swap defined in the crypttab called cryptswap1 with a UUID that I cannot find anywhere yet. And this has its own, auto-generated 'password' (or key). And both are mentioned in /etc/fstab, but one is still not mapped in the current live session.

    Anyway. Time to continue.
    Last edited by xennex81; Jan 29, 2015, 12:36 PM. Reason: update/rewrite

    #2
    The reason I now suddenly have to get this working is because I am in the position that I have been 'given' a network computer that I do not yet need.

    In the sense that I needed to purchase it (probably) to depelete some funds (most likely) but also because the computer had really been in the planning for a long time. Only, given my less-than-ideal circumstances (to put it mildly) I am not capable of storing it in my home, nor is it very safe there would I have the opportunity to get it there.

    Perhaps that is all panic and none of this is true. Nevertheless.

    I am wanting to install this (headless) debian server, and for that reason I suddenly had to revamp my this laptop to Ubuntu. To see how I could get enough knowledge to configure the Debian system later on. I have it here, today I will be able to install a hardware RAID card. Funnily enough, I did not know that the Linux software RAID layer was and is as capable or nearly as capable as any hardware solution.

    So yesterday I plugged the two hdds in the (now not so-) headless server and started checking out the dmraid tool. Not sure what it does or what it is for. But today I should have a screwdriver ready . Some thing here in this location remind me of being an unborn toad. No tools, nothing to eat.

    Just an egg to sit in and hopefully there will be some water when the shell breaks.

    Comment


      #3
      So the stupid thing is, not only did I put myself in this position (apparently, I do not see how I could have made much different choices all along) I also failed to get my family together so that I can run my server there, or with some friends. So now everything is here in this semi-cell-complex, which they call something of a 'hospital' for the mentally placated.

      And now basically I have two weeks to learn a thing or two about the configuration of my debian server, so that later on I can probably just repeat it within a few days.... ?

      It seems wholly like madness to me. Why on earth do something that is supposed to be fun, under a time schedule??

      Why the hell spend those funds in the first place. I believe it is a misinterpretation of what is going on and what might happen. Although I am seriously at risk of losing a lot of money, in the sense of possibly ca. 1500 euro, and possibly much more (that I don't even have) in the sense of being fined for something that I didn't really do.

      Moreover there was the opportunity to get a specialised memory module set (that I want, or need, or think I do... ;-)) for a rebate, it was like 200 euro off.

      I really don't know what is going on and why I am doing this.

      Maybe I should just remain a sitting duck for 20 days and see if that changes anything.

      If I don't try to achieve, I cannot really get in a depression either. Or some depression mood for a short or shorter period.

      So I have the hardware that I love, but I didn't want it yet, or I wanted it in different circumstances.

      I don't even have a keyboard and mouse, or a monitor, and I am borrowing them from another computer here that supposedly is not exactly meant to be taken apart, but that is more that the network cable is a sacred commodity: it seems that if you even disconnect it for a second, the link will go dead.

      But I have plenty of wifi, just not on the server yet. I kinda threw away a small chance to get it tested and running with some USB 3G modem. Perhaps I will ask my father to send the thing back, just a prepaid sim meant only for mobile internet --- but there is no coverage here for that network.

      So I am writing here to get this off my chest and perhaps become a little clearer on what the hell is going on here with me.

      ;-) .

      Perhaps it is all for the best, and perhaps I am mistaken about it being a bad or less-than-fun thing .

      Two weeks to get a Debian server configured particularly in terms of the RAID solution and physical partitioning and possibly volume setup across that RAID. I don't even think it will be using encryption, at least not at this point for real.

      So what do we have: a Dawicontrol RAID Controller with a manual that is completely in German. Should be fun.. The RAID controller has (reading German now ) the possibility of splitting volumes into 2TB sets in case it becomes problematic for e.g. MBT partitions. It mentions also, which I have read before, that GPT partitioning might create problems with booting from them. ((The server has both BIOS and EUFI. Booting from BIOS with GPT is apparently well supported as long as you use a BIOS Boot Partition (here). Booting from EUFI mode seems to be more of a mystic thing. I know the bios of my server allows me to switch off Legacy devices and only use EUFI, but I don't even know what distinguishes a "legacy" device from an "EUFI" device. In any case, the small partition that newer versions of Windows always automatically configure, seem to be a case of the ESP (EFI System Partition). It would ideally be a FAT32 partition, it seems.)). GRUB 2 is also the mysterious thing that I've encountered in Kubuntu. I had renamed my volumes and volume group using vgrename and lvrename, but had failed or forgotten to update GRUB. It would not boot and in a form of rescue mode (Busybox console I believe) I tried to find the grub files, but they are nonexistent, and I found (now) that GRUB 2 has no manually editable files, you have to rerun the scripts that are based on deeper configuration (e.g. the device mapping and so on) and it will then automatically update the boot loader to reflect those changes. The same idiocy is happening with the Synology nas DSM system. There is virtually nothing that you can manually edit, and when you do, it gets overwritten at every boot. So you seriously have to remove symlinks to configuration tools in order to let some config files remain unchanged at boot. Or shutdown, whichever the case may be. Thankfully though ) the grub loader itself obviously allows editing of the boot parameters (much more than Grub Legacy?) so in the end I was able to easily boot into the system and run update-grub. It was a bit of a nightmare to discover (in the console) how to use switch_root, since the call to it had to be preceded by "exec", or at least the call to /sbin/init. "PID has to be 1". Okay, well then tell me how to achieve that.... idiots ;-). I didn't have the mental clarity to discover that fact on my own..

      Comment


        #4
        So I have this Debian box running and I control it from Kubuntu (ha, the relevance!).

        I have tried to set up a VNC remote desktop to it, but not much shows itself yet :-/.

        The remote desktop is Gnome, and it opens a weird gnome-terminal that has bad text display, it doesn't work at all.

        The Debian box is hence configured through SSH which is I guess also a good learning experience.

        I now have it set up to use a package called lm-sensors in conjunction with "fancontrol". Fancontrol has a tool called pwmconfig that will test to see if any fans respond to PWM signals and if the correlaction can be measured. Once that is done, on boot it will load a script as a daemon or whatever that will maintain the temperature/speed correlation that you want.

        The CPU fan of that thing could go no longer than 1000 rpm, so that is where it is at now. Unfortunately when the program stops or is stopped, it returns the fan to full speed (3000 dustblower). Previously it was automatically controlled by the BIOS.

        Which is a shame that it doesn't return it to auto-control at stop.

        The Kubuntu Vivid install that I started this thread with, has been disappeared from my system ;-). I run 14.10 now, it is slightly 300% better configured and completed I don't believe for one second that they will have 15.04 ready in say April.

        Even 14.10 is only 10% completed of what it should or could be.

        In terms of for example right click popup context menu actions that popup actions that are not relevant for the icon itself, but only for the enclosing context. Weirdness. A misinterpretation and misappropriation of contexts.

        Anyway it is nice to be in Linux again but I do not know how long I will hold out, I am already planning to reinstall windows once I have this system setup and copied as an image to something else. I just want this Kubuntu thing configured to the max as to what I can achieve in a few days, week at most?? And then find a way to store a compressed (sparse?) copy of every partition that will allow me to re-unpack that backup to any partition of sufficient size. There are only two partitions on this; one is /boot, which is basically irrelevant as to what size concerns, and the other is a backup of a partition or unto a size of about 160G (148 GB).

        Any harddisk of that size or greater should easily accept that LVM volume.

        Perhaps I can simply dd and gzip the entire /dev/sda5? Partition information (size) is not in the partition itself. The header for encryption/decryption is. You would store an encrypted filesystem but encryption has the tendency to be uncompressable. I can give it a shot right now. It is basically mounted (mapped) but let us see what goes. ..Barely any compression. ..The unencrypted (of the exact same) compresses to ca. 18% of original, the encrypted to 98% of original . Sparse of course has no use for an encrypted thing, but it doesn't do much for unencrypted either ;-). That is probably because I am taking from the beginning of the device.

        Not that it matters, I think bzip2 does a good job. Although sparse might mean that less sectors are needed on the eventual target device?

        Putting it on a usb disk at 11 MB/s .

        Comment

        Working...
        X