magic storage and crypto.

william Famy william.famy at laposte.net
Tue Jul 29 19:02:36 CEST 2008


Hi every FAI guy!

I am looking for a nice solution to create crypt partition with FAI.

I first test how to create crypto computer and it is not very hard. I 
think it will not to hard to implement inside magic storage.

1) dependance to crypt.

* we have to use dm-crypt just have to tell to load the module on the 
FAI client.
* we need cryptsetup and luks addon. just install it under fai nfsroot.

2) How to crypt.

* preparing crypt partition
	1) cryptsetup luksFormat -c $CIFER /dev/partition $KEYFILE
	$CIFER can be aes blowfish...  $KEYFILE is a file where is the crypto key.
	2) cryptsetup luksOpen /dev/partiton $NAME
		$NAME will be under /dev/mapper/NAME
	3) dumping random data on the partition
		dd if=/dev/urandom of=/dev/partition
	4) create the filesytem:
		mkfs.$FS /dev/mapper/NAME
		£FS (ext3, xfs, FAT,..)
	5) mounting the partition
		mount /dev/mapper/NME /target/$CHOICE
	

3) telling the system about crypto.

in my exemple $NAME= root_crypt /dev/parttion=/dev/hda1

	* Telling /etc/fstab under client
		ex
		/dev/mapper/root_crypt / ext3 defaults 0 0
	* Telling where to find the key in /etc/crypttab
		root_crypt /dev/hda1 none luks (ask passwd)
		root_crypt /dev/hda1 /path/to/key luks (asking key file usb stick for 
exemple)

	* Telling when install is over to close the crypto partition.
		cryptosetup luksClose root_crypt


4) goodies.
	Luks allows 8 crypto slot and it will be possible to add slot easyly.
	cryptsetup luksAddKey device new_fey  old_key


5) Restriction.
	/boot must jot be crypt.
	it could even be under usb stick
	swap will be crypt to same method
	we could add boot under swap crypt using ofsett mount option.

6) Qestion.

	Is any one interesting in patching magic storage?
	I am volunter to test and debug the soft. I have to create script to 
crypt some computer.

7) Magic starage proposal:

disk_config hda


primary  - 1000   - -
primary /boot 200 ext3 rw
primary  -   8000  - -
primary  -   25000-  - -

disk_config crypt
swap_crypt /dev/hda1  $crypt_file key
root_cryp /dev/hda3  $crypt_file  none
home_crypt /dev/hda4  $crypt_file key

create the partion
then add crypt option to crypt /dev/partition add add it to the mapper 
and tell to crypttab how to use it none (passwd), key (file)

It is also usable with rais and lvm.

I hope this mail will be useful?

I have talled about crypto 3 month ago but only have time now to help.


regards


More information about the linux-fai-devel mailing list