1

I'm using RHEL 6.5 and I want to encrypt some of my logical volumes (LVM). In order to not have to enter the passphrase multiple times, I want to store a keyfile in an encrypted LV.

Example:

/var/xxx will be encrypted and the passphrase will be asked during the boot.
/var/xxx/yyy will be encrypted and the keyfile will be under /var/xxx/keyfile (for more security).

This way the passphrase has to be entered only one time.

My crypttab:

LogVolXxx          /dev/vg/LogVolXxx         none
LogVolXxxYyy       /dev/vg/LogVolXxxYyy      /var/xxx/keyfile  luks

My fstab: 

[...]
/dev/mapper/vg-LogVolAaa      /Aaa           ext4    noatime        1 2
/dev/mapper/LogVolXxx         /var/Xxx       ext4    noatime        1 2
/dev/mapper/LogVolXxxYyy      /var/Xxx/Yyy   ext4    noatime        1 2
[...]

A problem appears during the boot, the keyfile is not found. I suppose the system is trying to decrypt the device before mounting it.

How can I handle this?

Cristian Ciupitu
  • 2,430
  • 1
  • 22
  • 29
Bob Sauvage
  • 311
  • 1
  • 4
  • 13
  • You could use Debian/Ubuntu's `decrypt_derived` instead, which works without mounting. – frostschutz Aug 06 '14 at 10:51
  • Thanks @frostschutz but how can I use this script with RHEL ? – Bob Sauvage Aug 06 '14 at 11:26
  • I don't know RHEL well enough to answer that; but it's just a simple shellscript, essentially it does `dmsetup table --showkey logvolxx`. So it uses the master key of the already open (but not necessarily mounted) LUKS device as a passphrase for the others. The idea should be easy enough to adapt for other distros. If RHEL's crypttab allows the execution of scripts for keys... – frostschutz Aug 06 '14 at 11:58
  • Thanks again @frostschutz but RHEL doesn't support the execution of script for unlocking encrypted devices... Damn it, Looking at this script was a good idea... – Bob Sauvage Aug 06 '14 at 12:12
  • 1
    If you use `/dev/mapper/LogVolXxx` as a key, does it find that? In that case you could create a `LogVolKey` which is small (like `4M`), `cryptsetup luksFormat` that with your passphrase, and use it for all others `cryptsetup luksAddKey /dev/vg/LogVolXxx /dev/mapper/LogVolKey`. – frostschutz Aug 06 '14 at 12:50
  • It works ! Thanks again @frostschutz ! Nevertheless, there is a warning message: "INSECURE MODE FOR /dev/mapper/LogVolKey". This message is displayed if the group is different from "root" and this is the case, the group is "disk"... Just for my own information, when triggering `cryptsetup luksAddKey /dev/vg/LogVolXxx /dev/mapper/LogVolKey`, what is the key in reality ? The headers ? – Bob Sauvage Aug 06 '14 at 14:39
  • Can you write it up in an answer? The key is random, or whatever you put on LogVolKey. There are no headers on /dev/mapper/... Can't help you with the insecure mode message; by default no users should be in the disk group either way, so nothing insecure about it – frostschutz Aug 06 '14 at 16:40

1 Answers1

2

In the end, I've followed the advices of @frostschutz. I've used an encrypted LV as key !

  1. lvcreate -L 4M -n LogVolKey vg
  2. cryptsetup luksFormat /dev/vg/LogVolKey (here we set the global passphrase)
  3. cryptsetup luksOpen /dev/vg/LogVolKey LogVolKeyDecrypted
  4. dd if=/dev/urandom of=/dev/mapper/LogVolKeyDecrypted
  5. cryptsetup luksFormat /dev/vg/LogVolXxx (here we set the same passphrase)
  6. cryptsetup luksAddKey /dev/vg/LogVolXxx /dev/mapper/LogVolKeyDecrypted
  7. cryptsetup luksOpen /dev/vg/LogVolXxx LogVolXxxDecrypted -d /dev/mapper/LogVolKeyDecrypted
  8. dd if=/dev/urandom of=/dev/mapper/LogVolXxxDecrypted
  9. mkfs.ext4 /dev/mapper/LogVolXxxDecrypted

Note: A warning message appears during the boot: INSECURE MODE FOR /dev/mapper/LogVolKey. This message is displayed if the group is different from "root" and this is the case, the group is "disk", by default no users should be in this group either way, so nothing insecure about it.

Note 2: A second message appears: "Warning: exhausting read requested, but key file is not a regular file, function might never return.. Indeed, unlocking devices takes some times, but not too much.

Bob Sauvage
  • 311
  • 1
  • 4
  • 13
  • Hmmm. It should take about one second per device you unlock. Maybe longer if there are several keyslots in use and yours is not the first slot. Although I'm not sure how well `cryptsetup` is able to handle keys that are in the megabyte range. Now, LVM won't let you create a smaller device (minimum PE size is usually `4MB`). But with `cryptsetup --align-payload` you can influence how much of an offset the LUKS metadata will be using, so you can have a `4MB` LV with an encrypted part that's actually just 512 byte in size. – frostschutz Aug 07 '14 at 00:14