2

For one of my apps I need to enable FIPS for OpenSSL, while simultaneously using software disk encryption.

VM #1

I launched a CentOS VM instance which was software encrypted during install. The system booted fine (after entering the boot decryption password).

Next, I went through the steps to enable FIPS-OpenSSL and rebooted. The system would not accept my boot decryption password (which was purposely easy to type).

VM #2

I set up a second VM with an otherwise identical OS/config without software encryption. I enabled FIPS using the steps above, rebooted, and everything works fine with no problems rebooting.

VM #3

I spun up a third CentOS VM instance, also opting not to use system encryption during installation. After install and basic configuration, I encrypted a test volume using luks, then rebooted. I'm prompted for the password and the system then boots normally.

Next, I enabled FIPS-OpenSSL, rebooted - and get a plethora of errors where I'd usually see the boot password, and the system does not boot.

I booted this VM into single user mode, pulled fips=1 from the kernel line and rebooted. The boot password was accepted this time.

...

Why is enabling FIPS for OpenSSL causing the boot passwords to fail?

a coder
  • 3,184
  • 9
  • 42
  • 63
  • 1
    Which version of CentOS? My guess is that your LUKS install used a non-FIPS approved algorithm. Run `sudo cryptsetup status /dev/mapper/` and check the cipher and keysize conform with the FIPS standard. – garethTheRed Sep 01 '15 at 07:09

1 Answers1

2

The problem was that I encrypted the volumes before enabling FIPS. As garethTheRed alluded to in a comment, LUKS used a non FIPS approved algorithm, so when FIPS was enabled things went bonkers.

The solution is to

  1. Enable FIPS
  2. Encrypt volumes

In that order.

This guide was also useful in solving the problem. It is lengthy with extra explanation so I won't copy paste the full thing here. Here's the jist:

A. ENABLE FIPS

  1. Check if FIPS is enabled using one of two methods: 

    cat /proc/sys/crypto/fips_enabled
0 = not enabled
1 = enabled

openssl md5 /any/file
valid hash = not enabled
"Error setting digest md5" = enabled (likely)

  2. Check if you have prelinking turned on. 

    vi /etc/sysconfig/prelink

Change
PRELINKING=yes
to
PRELINKING=no

  3. Undo all current prelinking

    [root@centos64]# prelink -ua

  4. Install dracut-fips

    [root@centos64]# yum install dracut-fips

  5. Rebuild your initramfs

    [root@centos64]# dracut -f

  6. Find device path of /boot

    [root@centos64]# df /boot
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/sda2         487652 115447    346605  25% /boot

  7. cp /etc/grub.conf /etc/grub.bak

  8. Edit /etc/grub.conf

    Add in the "fips=1" and "boot=/dev/***" lines to the kernel command line 

Example: 
kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_centos6464bittempl-lv_root rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=us LANG=en_US.UTF-8 rd_LVM_LV=vg_centos6464bittempl/lv_swap rd_LVM_LV=vg_centos6464bittempl/lv_root rd_NO_MD crashkernel=auto SYSFONT=latarcyrheb-sun16 rd_NO_DM rhgb quiet fips=1 boot=/dev/sda2

  9. Reboot

  10. Check if FIPS is enabled (See Step 1 above).

B. ENCRYPT VOLUME

  1. Are you sure FIPS is enabled? If not, do not proceed - go back to ENABLE FIPS and make sure that part is working before continuing...

  2. Get the device path of the logical volume you wish to encrypt. In my example, this is /dev/mapper/vg_mybox-LogVol03

  3. BACK UP ALL DATA ON THIS VOLUME. It will be DESTROYED.

  4. umount volume.

    In my case, umount /db_fips

  5. shred -v -n1 /dev/mapper/vg_mybox-LogVol03

  6. Encrypt volume and set passphrase

    cryptsetup -v --verify-passphrase luksFormat /dev/mapper/vg_mybox-LogVol03

    NOTE: a RHEL minimal install may not include cryptsetup by default. Just yum install cryptsetup to get what you need. CentOS 6.7's minimal package set includes cryptsetup.

  7. Open the device and alias it to “somename” of your choice (in this case, "db_fips")

    cryptsetup luksOpen /dev/mapper/vg_mybox-LogVol03 db_fips

  8. Verify mapper has the path

    [root@centos64]# ls /dev/mapper/db_fips

At this point, treat /dev/mapper/db_fips as you would any ordinary filesystem or device

  9. Create filesystem as you normally would

    [root@centos64]# mkfs -t ext4 /dev/mapper/db_fips

  10. Mount it and verify it

    [root@centos64]# mount /dev/mapper/db_fips /db_fips
[root@centos64]# date >> /db_fips/today.txt

  11. ¡¡¡IMPORTANT!!!: Comment out the existing /etc/fstab entry for the target volume, lest you have headaches on reboot. :-)

    vi /etc/fstab

    # /dev/mapper/vg_mybox-LogVol03 /some/path ext4 defaults 1,2

  12. Reboot to ensure the steps above are working.

  13. get UUID of encrypted volume

    blkid

    /dev/mapper/vg_mybox-LogVol03: UUID="2e52ffee-7a02-4c91-b6bf-223b05f90ded" TYPE="crypto_LUKS"

  14. Add encrypted volume to /etc/crypttab - so it can be decrypted on boot. You can specify a passfile here, but it is not recommended. Install DRAC in the server if it is to be remotely administered (so you can enter the pass phrase during boot). crypttab man page

    [root@centos64]# vi /etc/crypttab

db_fips UUID="2e52ffee-7a02-4c91-b6bf-223b05f90ded"

  15. Reboot to test.

Community
  • 1
a coder
  • 3,184
  • 9
  • 42
  • 63