Friday, November 23, 2012


Encrypting your partitions on RHEL after installation

 

Release:

RHEL 5
RHEL 6

Problem:
Encrypting your partitions on RHEL after installation
 
Solution:

LUKS:

With modern versions of cryptsetup (i.e., since ~2006), encrypted block devices can be created in two main formats, plain dm-crypt format or the extended LUKS (Linux Unified Key Setup-on-disk-format) format. LUKS provides a standard on-disk-format for hard disk encryption, which facilitates compatibility among Linux distributions and provides secure management of multiple user passwords. In contrast to previous Linux disk-encryption solutions, LUKS stores all necessary setup information in the partition header, enabling the user to more easily transport or migrate their data.

 

What LUKS does?

LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.

The underlying contents of the encrypted block device are arbitrary. This makes it useful for encrypting swap devices. This can also be useful with certain databases that use specially formatted block devices for data storage.

ü  LUKS uses the existing device mapper kernel subsystem.

ü  LUKS provides passphrase strengthening which protects against dictionary attacks.

ü  LUKS devices contain multiple key slots, allowing users to add backup keys/passphrases.

 What LUKS does not do?

  • LUKS is not well-suited for applications requiring many (more than eight) users to have distinct access keys to the same device.
  • LUKS is not suited for applications requiring file-level encryption.
In Red Hat Enterprise Linux, userspace interaction with dm-crypt is managed by a tool called cryptsetup, which uses the device-mapper infrastructure to setup and operate on encrypted block devices.

dm-crypt and cryptsetup:

 
Device-mapper is a part of the Linux kernel that provides a generic way to create virtual layers of block devices, most commonly LVM logical volumes. The device-mapper crypt target (dm-crypt) provides transparent encryption of block devices using the kernel crypto API (supporting ciphers and digest algorithms via standard kernel modules).

Packages required for LUKS in Red Hat Enterprise Linux 5 & 6 :


The main package is called cryptsetup-luks and it depends on cryptsetup-luks-libs. Note that both of these packages should be part of any installation and therefore available without extra effort. The below prerequisites can be included as per your requirement.


Create the block devices if required:

 Use any of the below method to create the block device or partition:

fdisk/parted

pvcreate

lvcreate

mdadm


Initializing the device:

This can be done by filling random data on to your device.It is required for strengthening your encryption. You may use any of the below method to write the random data.

 dd if=/dev/urandom of=<device>


The above method is quite lengthy but provides you with high quality random data. If required a faster method you may use the one below.

badblocks -c 10240 -s -w -t random -v <device>

Step by Step demo on dm-crypt:

 

Create you new partition using fdsik:

 

[root@lvs1 ~]# fdisk /dev/sdb

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel

Building a new DOS disklabel with disk identifier 0x0ff9997a.

Changes will remain in memory only, until you decide to write them.

After that, of course, the previous content won't be recoverable.

 

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

 

WARNING: DOS-compatible mode is deprecated. It's strongly recommended to

         switch off the mode (command 'c') and change display units to

         sectors (command 'u').

 

Command (m for help): p

Disk /dev/sdb: 21.5 GB, 21474836480 bytes

255 heads, 63 sectors/track, 2610 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x0ff9997a

 

   Device Boot      Start         End      Blocks   Id  System

 

Command (m for help): n

Command action

   e   extended

   p   primary partition (1-4)

p

Partition number (1-4): 1

First cylinder (1-2610, default 1):

Using default value 1

Last cylinder, +cylinders or +size{K,M,G} (1-2610, default 2610): +100M

Command (m for help): p

Disk /dev/sdb: 21.5 GB, 21474836480 bytes

255 heads, 63 sectors/track, 2610 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x0ff9997a
Device Boot      Start         End      Blocks   Id  System

/dev/sdb1               1          14      112423+  83  Linux

 
Command (m for help): w

The partition table has been altered!

Calling ioctl() to re-read partition table.

Syncing disks

 
Fill the data using random data:


[root@lvs1 ~]# dd if=/dev/urandom of=/dev/sdb1

dd: writing to `/dev/sdb1': No space left on device

224848+0 records in

224847+0 records out

115121664 bytes (115 MB) copied, 23.083 s, 5.0 MB/s

Partition initialization:

[root@lvs1 ~]# cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb1

WARNING!

========

This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES

Enter LUKS passphrase:

Verify passphrase:

Command successful.

Check the status of the Encryption:

If Encrypted Device:

[root@lvs1 ~]# cryptsetup isLuks /dev/sdb1 && echo Success

Success


If on non-encrypted Device:

[root@lvs1 ~]# cryptsetup isLuks /dev/sda1 && echo Success

Device /dev/sda1 is not a valid LUKS device.


Now open your new encrypted device:
 

For getting the summary on the encryption performed use the below command:


[root@lvs1 ~]# cryptsetup luksDump /dev/sdb1

LUKS header information for /dev/sdb1

Version:        1

Cipher name:    aes

Cipher mode:    cbc-essiv:sha256

Hash spec:      sha1

Payload offset: 4096

MK bits:        256

MK digest:      eb 60 b3 82 4a 41 74 c1 e0 0e e3 54 4d 4b 64 8e ee 31 a8 18

MK salt:        1b 3f a8 04 e1 76 78 de c2 da a8 10 86 5e 1e 80

                f1 c2 08 6f 92 99 a3 64 60 ba bb fa 71 3f 6a 19

MK iterations:  44000

UUID:           c09e9489-8c34-4694-947d-d2b24147fcac

 

Key Slot 0: ENABLED

        Iterations:             176424

        Salt:                   b3 35 b4 e9 d1 8e 63 f7 10 87 14 cb c7 66 7d b9

                                b9 b2 52 63 79 84 d4 0b 73 34 64 ef 7e 25 df 37

        Key material offset:    8

        AF stripes:             4000

Key Slot 1: DISABLED

Key Slot 2: DISABLED

Key Slot 3: DISABLED

Key Slot 4: DISABLED

Key Slot 5: DISABLED

Key Slot 6: DISABLED

Key Slot 7: DISABLED

Create a Mapping for device access:

To access your device's decrypted content you need to use the device mapper(dm). Inorder to create this ie, /dev/mapper/<name> to represent this device use the below command:


[root@lvs1 ~]# cryptsetup luksOpen /dev/sdb1 secure

Enter passphrase for /dev/sdb1:


It will ask for the password phrase which you have already given in previous step. Input the same. Check the device file creation under the /dev/mapper

[root@lvs1 ~]# ls -l /dev/mapper | grep secure

lrwxrwxrwx. 1 root root      7 Sep 19 06:43 secure -> ../dm-2

If need to get more information use the below command:

[root@lvs1 ~]# dmsetup info /dev/mapper/secure

Name:              secure

State:             ACTIVE

Read Ahead:        256

Tables present:    LIVE

Open count:        0

Event number:      0

Major, minor:      253, 2

Number of targets: 1

UUID: CRYPT-LUKS1-c09e94898c344694947dd2b24147fcac-secure

 
Create filesystem:

For creating the filesystem use the below command:

[root@lvs1 ~]# mkfs.ext3 /dev/mapper/secure

mke2fs 1.41.12 (17-May-2010)

Filesystem label=

OS type: Linux

Block size=1024 (log=0)

Fragment size=1024 (log=0)

Stride=0 blocks, Stripe width=0 blocks

27664 inodes, 110372 blocks

5518 blocks (5.00%) reserved for the super user

First data block=1

Maximum filesystem blocks=67371008

14 block groups

8192 blocks per group, 8192 fragments per group

1976 inodes per group

Superblock backups stored on blocks:

        8193, 24577, 40961, 57345, 73729

Writing inode tables: done

Creating journal (4096 blocks): done

Writing superblocks and filesystem accounting information: done

 

This filesystem will be automatically checked every 37 mounts or

180 days, whichever comes first.  Use tune2fs -c or -i to override.

 

Editing the /etc/crypttab:

 

The /etc/crypptab file describes encrypted block devices that are set up during system boot.

 

Empty lines and lines starting with the # character are ignored. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space. The first two fields are mandatory, the remaining two are optional.

 

The first field contains the name of the resulting encrypted block device; the device is set up at /dev/mapper/name. The second field contains a path to the underlying block device. If the block device contains a LUKS signature, it is opened as a LUKS encrypted partition; otherwise it is assumed to be a raw dm-crypt partition.

The third field specifies the encryption password. If the field is not present or the password is set to none, the password has to be manually entered during system boot. Otherwise the field is interpreted as a path to a file containing the encryption password. For swap encryption /dev/urandom can be used as the password file; using /dev/random may prevent boot completion if the system does not have enough entropy to generate a truly random encryption key.

 

In order for the system to set up a mapping for the device, an entry must be present in the /etc/crypttab file. If the file doesn't exist, create it and change the owner and group to root ( root:root) and change the mode to 0744. Add a line to the file with the following format:

 

<name>  <device>  none / <path/to/the/key-file/if/any>

 

In our case we are editing as below:

[root@lvs1 ~]# vi /etc/crpttab

secure      UUID=c09e9489-8c34-4694-947d-d2b24147fcac

 

Note: You may use the blkid command to get the device ID for the device. Eg: blkid /dev/sdb1

 

Manually mounting the partition:

[root@lvs1 ~]# mkdir /secure

[root@lvs1 ~]# mount /dev/mapper/secure /secure/

[root@lvs1 ~]# mount

/dev/mapper/VolGroup-lv_root on / type ext4 (rw)

proc on /proc type proc (rw)

sysfs on /sys type sysfs (rw)

devpts on /dev/pts type devpts (rw,gid=5,mode=620)

tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0")

/dev/sda1 on /boot type ext4 (rw)

/dev/mapper/secret on /secret type ext4 (rw)

none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

 

Giving entry into the fstab:

 

Append the below entry into your existing fstab:

/dev/mapper/secret      /secret                 ext4    defaults        0 0

  
During booting it may give you the screen for inputting the password.
 Provide the password to mount the partition at the boot time. We are done with our encryption.

 

***********************

1 comment:

  1. Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating Hadoop Admin Online Training Hyderabad

    ReplyDelete