magic storage and crypto.

Michael Tautschnig mt at debian.org
Tue Jul 29 21:19:47 CEST 2008


Hi William, hi all,

> I am looking for a nice solution to create crypt partition with FAI.
>
> I first test how to create crypto computer and it is not very hard. I  
> think it will not to hard to implement inside magic storage.
>
Well, it is already there :-) Ok, to be honest, there is some implementation --
but it is untested. FAI 3.2.8 has all the necessary bits to do it.

> 1) dependance to crypt.
>
> * we have to use dm-crypt just have to tell to load the module on the  
> FAI client.
> * we need cryptsetup and luks addon. just install it under fai nfsroot.
>
fai-client suggests cryptsetup, so yes, you just need to install it.

> 2) How to crypt.
>
> * preparing crypt partition
> 	1) cryptsetup luksFormat -c $CIFER /dev/partition $KEYFILE
> 	$CIFER can be aes blowfish...  $KEYFILE is a file where is the crypto key.
> 	2) cryptsetup luksOpen /dev/partiton $NAME
> 		$NAME will be under /dev/mapper/NAME
> 	3) dumping random data on the partition
> 		dd if=/dev/urandom of=/dev/partition
> 	4) create the filesytem:
> 		mkfs.$FS /dev/mapper/NAME
> 		£FS (ext3, xfs, FAT,..)
> 	5) mounting the partition
> 		mount /dev/mapper/NME /target/$CHOICE
> 	
>
> 3) telling the system about crypto.
>
> in my exemple $NAME= root_crypt /dev/parttion=/dev/hda1
>
> 	* Telling /etc/fstab under client
> 		ex
> 		/dev/mapper/root_crypt / ext3 defaults 0 0
> 	* Telling where to find the key in /etc/crypttab
> 		root_crypt /dev/hda1 none luks (ask passwd)
> 		root_crypt /dev/hda1 /path/to/key luks (asking key file usb stick for  
> exemple)
>
> 	* Telling when install is over to close the crypto partition.
> 		cryptosetup luksClose root_crypt
>

Most of those steps are done in /usr/lib/fai/setup-storage/Commands.pm, function
encrypt_device, some of them are missing in my implementation (I don't dump
random data and I don't do the luksClose, because I had no idea about that...).

William, are you ok with perl? Most likely the implementation is somewhat buggy,
but I currently don't find the time to test it, so bug reports (and even better
bug fixes :-) ) are very welcome... :-)

>
> 4) goodies.
> 	Luks allows 8 crypto slot and it will be possible to add slot easyly.
> 	cryptsetup luksAddKey device new_fey  old_key
>
Hmm, what exactly is the purpose of these "slots"?

>
> 5) Restriction.
> 	/boot must jot be crypt.
> 	it could even be under usb stick
> 	swap will be crypt to same method
> 	we could add boot under swap crypt using ofsett mount option.
>
Ok, the current implementation doesn't check for these.

> 6) Qestion.
>
> 	Is any one interesting in patching magic storage?
> 	I am volunter to test and debug the soft. I have to create script to  
> crypt some computer.
>
So please just go ahead and test :-)

> 7) Magic starage proposal:
>
[...]

Ok, sorry, I already did a somewhat more limited implementation: One may start
from a line like

primary  /secret         12000      ext3           rw   

and replace it by

primary  /secret:encrypt         12000      ext3           rw   

and that's it! If this partition happens to be put on, say, /dev/sda3, you will
get the key in /tmp/fai/crypt_dev_sda3 (it is generated randomly). The
appropriate crypttab will end up in /tmp/fai/crypttab, so this must be moved
somewhere else afterwards, just like the key files (not implemented).

>
> I hope this mail will be useful?
>

Yes, very very useful :-) There had been earlier interest in the crypto part,
but since it effective implementation there has not been any further interest so
far.

It would be really cool if you could test the code and report back. I guess it
has some bugs, but it really only a tiny bit of code in lib/Commands.pm, so
these should be easy to fix, and things should also not be too hard to extend as
needed.

Best,
Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.uni-koeln.de/pipermail/linux-fai-devel/attachments/20080729/f3bb467e/attachment.bin 


More information about the linux-fai-devel mailing list