magic storage and crypto.

william Famy william.famy at laposte.net
Wed Jul 30 00:06:34 CEST 2008 

Michael Tautschnig a écrit :
> Hi William, hi all,
> 
>> I am looking for a nice solution to create crypt partition with FAI.
>>
>> I first test how to create crypto computer and it is not very hard. I  
>> think it will not to hard to implement inside magic storage.
>>
> Well, it is already there :-) Ok, to be honest, there is some implementation --
> but it is untested. FAI 3.2.8 has all the necessary bits to do it.
_____________________________________
[wf:]
great.
I will start tomorow a new FAI server install. It will be a nice test 
for the 3.2.8 version.
> 
>> 1) dependance to crypt.
>>
>> * we have to use dm-crypt just have to tell to load the module on the  
>> FAI client.
>> * we need cryptsetup and luks addon. just install it under fai nfsroot.
>>
> fai-client suggests cryptsetup, so yes, you just need to install it.
________________________________________
[wf:]
sure.

> 
>> 2) How to crypt.

snip...

> 
> Most of those steps are done in /usr/lib/fai/setup-storage/Commands.pm, function
> encrypt_device, some of them are missing in my implementation (I don't dump
> random data and I don't do the luksClose, because I had no idea about that...).
> 
> William, are you ok with perl? Most likely the implementation is somewhat buggy,
> but I currently don't find the time to test it, so bug reports (and even better
> bug fixes :-) ) are very welcome... :-)
___________________________________________
[wf:]
I am not perl addict at all. I prefer python but no pb at all.
> 
>> 4) goodies.
>> 	Luks allows 8 crypto slot and it will be possible to add slot easyly.
>> 	cryptsetup luksAddKey device new_fey  old_key
>>
> Hmm, what exactly is the purpose of these "slots"?
_______________________________________
[wf:]
You can set up to 8 slots with a different crypto key. So you can create 
a key for the compagny store a the bank -). one for the ceo, one for 
each branch of the compagny and one for each peaple in the compagny.

So if you have a key you can decrypt the data. You can remove any slot 
with out any passwd, just tell you agree in removing the key.

It is useful for exemple when you have someone who leave the compagny. 
You can also get the data back and change the crypto key for the new 
employee .

> 
>> 5) Restriction.
>> 	/boot must jot be crypt.
>> 	it could even be under usb stick
>> 	swap will be crypt to same method
>> 	we could add boot under swap crypt using ofsett mount option.
>>
> Ok, the current implementation doesn't check for these.
_________________________________________
[wf:]

no pb just have to tell it in the disk-setup.

>> 6) Qestion.
>>
>> 	Is any one interesting in patching magic storage?
>> 	I am volunter to test and debug the soft. I have to create script to  
>> crypt some computer.
>>
> So please just go ahead and test :-)
______________________________
[wf:]
I will test as soon as I have install the new server. IMHO in 1 or 2 days.

> 
>> 7) Magic starage proposal:
>>
> [...]
> 
> Ok, sorry, I already did a somewhat more limited implementation: One may start
> from a line like
> 
> primary  /secret         12000      ext3           rw   
> 
> and replace it by
> 
> primary  /secret:encrypt         12000      ext3           rw   
> 
> and that's it! If this partition happens to be put on, say, /dev/sda3, you will
> get the key in /tmp/fai/crypt_dev_sda3 (it is generated randomly). The
> appropriate crypttab will end up in /tmp/fai/crypttab, so this must be moved
> somewhere else afterwards, just like the key files (not implemented).
_________________________________
[wf:]
I will look.
> 
>> I hope this mail will be useful?
>>
> 
> Yes, very very useful :-) There had been earlier interest in the crypto part,
> but since it effective implementation there has not been any further interest so
> far.
> 
> It would be really cool if you could test the code and report back. I guess it
> has some bugs, but it really only a tiny bit of code in lib/Commands.pm, so
> these should be easy to fix, and things should also not be too hard to extend as
> needed.
________________________________
[wf:]
i need a non buguy automatic crypto installer. So I will test it.
I will do my best will perl scrip. I will send fonctional reward (may be 
small bash scrip )

If you look someone interesting in crypto FAI I am you guy :-)

> 
> Best,
> Michael
> 
_______________________________
[wf:]

Regards
William

More information about the linux-fai-devel mailing list