FedoraForum.org - Fedora Support Forums and Community
Results 1 to 10 of 10
  1. #1
    326bd935 Guest

    Encryption Keys on USB

    This is a complete nightmare so far.
    I just want to do something very simple - mount /home using a key on a USB/SD card.

    I tried using crypttab but it seems Fedora's crypttab is inferior:
    no keyscript option
    no keyfile-size option
    ...

    The key can be a set of /dev/random bytes surrounded by /dev/urandom bytes in an unformatted partition or a file on a formatted partition.
    I can easily unlock the luks container manually:
    Code:
    dd if=/dev/mmcblk0p3 skip=116700547 ibs=1 count=4096 obs=4096 | cryptsetup luksOpen /dev/sda5 testdev --key-file=-
    But i'm having a really hard time getting this to work properly during boot.

    Please help me

  2. #2
    326bd935 Guest

    Cool Re: Encription Keys on USB

    Not solving my question but I managed to figure out a slightly more secure option.
    I got the idea to instead have /boot on a usb and all partitions on the harddrive to be encrypted. After trying to modify kernel parameters for crypto I realized that they were overwritten in initrd or seemed to be anyway (i'm no pro).

    This method would prevent the following for the purpose (physical attacks):
    - Live system booted and mounted /. This would allow for tampering of system files.
    - Laptop/Device stolen. Protect Documents on /home

    Potential weaknesses:
    - Device in suspend. Wakeup and disks accessible (got a resume password/ other logged in accounts)?
    - Someone sees you booting using usb. If someone really wants your data, they could try anything to get/borrow/copy your usb.

    Steps
    1. Install fedora with encryption on all harddrive partitions. Place /boot and 'bios boot' on usb (unencrypted).
    2. Generate and add keyfiles to partitions.
    3. Place keyfiles somewhere in /boot (eg. /boot/banana)
    4. Keyfiles to be auto-copied to initrd. Add keys to /etc/dracult.conf.d/01-dist.conf in the "install_items+="x y z"" line. Eg.: "install_items+=" vi /etc/virc/ /boot/banana ps grep cat rm ""
    5. Modify crypttab to use keyfiles automatically. Add the 3rd parameter to be the keyfile location (you can just replace 'none' with the path which in this example is /boot/banana)
    6. Regenerate initrd. Run 'mkinitrd' - with no parameters it gives you an example - this is what parameters I gave.
    7. Reboot and check it works.
    8. Disable auto-mount of /boot. Add noauto option to fstab? Add allow any user to mount?

    Note:
    You will need /boot to install kernel upgrades. Just mount it before. Yum should tell you if it isn't mounted and stop the process if this is the case. So you should have nothing to worry about there.

  3. #3
    Join Date
    Feb 2009
    Posts
    24

    Re: Encryption Keys on USB

    At present I encrypt via luks my root, home and swap. Here are my details:

    I use lvm, my volumes are: vg_vol01-LVRoot for root, vg_vol01-LVSwap01 for swap and vg_vol02-LVhome for home. The cryptloop keys are binary files with random bits called:
    /system-key-root and /system-key-home.


    My /etc/crypttab is:
    # setup encrypted swap
    swap /dev/mapper/vg_vol01-LVSwap01 /dev/urandom cipher=aes-cbc-essiv:sha256,swap
    root /dev/mapper/vg_vol01-LVRoot /system-key-root
    home /dev/mapper/vg_vol02-LVhome /system-key-home


    I have a USB key, formated as EXT4 with label 'SystemKeys' which has a copy of the files:
    /system-key-root and /system-key-home.
    Another Copy of these files is in the root filesystem, with the appropriate permissions (0400) and with the 'immutable' flag set (as in % chattr +i /system-key-root /system-key-home)

    The relevant part of /etc/default/grub is:
    GRUB_CMDLINE_LINUX="rd.lvm.lv=vg_vol01/LVRoot rd.md=0 rd.dm=0 KEYTABLE=us rd.luks.key=/system-key-root:LABEL=SystemKeys LANG=en_US.UTF-8 rhgb quiet"

    Once everything is setup you need to install the new grub command line with:
    /sbin/grub2-mkconfig -o /boot/grub2/grub.cfg

    During boot if the correct USB keyfob is inserted with the correct keys the system boots with encrypted 'home', 'root' and 'swap'. If the keyfob is not on the system, then I'm prompted for the password to unlock the cryptloop devices.

  4. #4
    326bd935 Guest

    Re: Encryption Keys on USB

    Thanks for the help! This is exactly what I needed.

  5. #5
    Join Date
    Apr 2008
    Posts
    7

    Re: Encryption Keys on USB

    Quote Originally Posted by tony4377
    At present I encrypt via luks my root, home and swap. Here are my details:

    I use lvm, my volumes are: vg_vol01-LVRoot for root, vg_vol01-LVSwap01 for swap and vg_vol02-LVhome for home. The cryptloop keys are binary files with random bits called:
    /system-key-root and /system-key-home.


    My /etc/crypttab is:
    # setup encrypted swap
    swap /dev/mapper/vg_vol01-LVSwap01 /dev/urandom cipher=aes-cbc-essiv:sha256,swap
    root /dev/mapper/vg_vol01-LVRoot /system-key-root
    home /dev/mapper/vg_vol02-LVhome /system-key-home

    Can this be modified for non-lvm systems using a usb-stick (F19, F20) where systemd seems ignore /etc/crypttab 1, 2.
    where eg. /dev/sdb /root, /dev/sdc /home, /dev/sdd swap luks ext4
    Would a copy of keyfile be needed on all?

    1: https://bugzilla.redhat.com/show_bug.cgi?id=905683
    2: https://bugzilla.redhat.com/show_bug.cgi?id=982608

  6. #6
    Join Date
    Feb 2009
    Posts
    24

    Re: Encryption Keys on USB

    First, you should be aware there is a known bug from F18 and on with using rd.luks.key and allowing dracut to use systemd:
    http://bugzilla.redhat.com/show_bug.cgi?id=905683

    To summarize, when setting up you will need to prevent dracut from using systemd and waiting till the normal OS starts for systemd to be used by putting the following in /etc/dracut.conf:
    omit_dracutmodules+=" systemd "
    In addition, I needed to force the inclusion of crypt utilities, and LVM (because I use LVM, something you may be able to omit) by also adding the following to /etc/dracut.conf:
    add_dracutmodules+=' lvm crypt '
    With respect to using non LVM, it should be a simple exercise. Just edit crypttab to point to where your volumes actually reside, for example /dev/sda1 vice /dev/mapper/vg_vol01-LVroot. Or, perhaps better would be for you to use the UUID of the deivce as in UUID=2505567a-9e27-4efe-a4d5-15ad146c258b vice /dev/mapper/vg_vol01-LVroot. Then it would not matter where the volume was, physical or LVM. I simply elected not to go this route because I'm constantly messing with my test system and rebuilding the OS all the time. I got tired of working with the UUID.

  7. #7
    Join Date
    Feb 2009
    Posts
    24

    Re: Encryption Keys on USB

    I neglected to mention, after editing /etc/dracut.conf do not forget to rebuild the initramfs that you are booting with dracut, otherwise the modifications to /etc/dracut.conf will not be a part of the initramfs.

  8. #8
    Join Date
    Feb 2012
    Location
    Michigan
    Posts
    21
    Linux (Fedora) Firefox 60.0

    Re: Encryption Keys on USB

    Quote Originally Posted by tony4377
    I neglected to mention, after editing /etc/dracut.conf do not forget to rebuild the initramfs that you are booting with dracut, otherwise the modifications to /etc/dracut.conf will not be a part of the initramfs.
    This solution no longer works in Fedora 28. systemd-initrd will not work if systemd is removed from initrd.

    Suggestions?

  9. #9
    Join Date
    Nov 2016
    Location
    Germany
    Posts
    31
    Linux Firefox 52.0

    Re: Encryption Keys on USB

    Please do not append to old threads!
    I lost my time studying the thread, before I realized that it is completely outdated.

    Bequimão

  10. #10
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    6,136
    Linux Firefox 60.0

    Re: Encryption Keys on USB

    thread closed, please do not necropost in a 5 year old thread. Instead create a new thread about your USB key issue x53sv. the likelihood of the tony responding are near zero anyhow since he's not been on here for 4 years either.

Similar Threads

  1. live_ram: ok on esata/ssd keys, not working on older usb keys
    By livecdOrNothing in forum Installation, Upgrades and Live Media
    Replies: 1
    Last Post: 7th November 2012, 11:31 PM
  2. Passwords and Encryption Keys issue
    By Zombie8 in forum Using Fedora
    Replies: 3
    Last Post: 17th June 2011, 07:36 PM
  3. What is the correct behaviour for multimedia keys/function keys?
    By Dead1nside in forum Hardware & Laptops
    Replies: 0
    Last Post: 16th July 2008, 01:28 AM
  4. Keys not mapped correctly & missing keys.
    By we6jbo in forum Hardware & Laptops
    Replies: 0
    Last Post: 12th September 2007, 10:10 PM
  5. Signature keys, public keys...
    By blockhead in forum Using Fedora
    Replies: 1
    Last Post: 24th September 2005, 05:56 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •