Arch Linux

Pieter-Jan

Member

Registered: 2011-11-20

Posts: 9

System encryption using LUKS and Openssl keys on SD card

So I'm following this guide to install https://bbs.archlinux.org/viewtopic.php?id=120243

Instead of storing the encrypted keys on a USB drive, I have choosed to store them on a SD card. The problem is that luks can't decrypt the key "No key available with this passphrase."
This are the steps I have done

Partitioning

/dev/sda1 as /boot -- As far as I know, I haven't a bios option to recognize and boot from SD only USB so I create an boot partion on my harddrive and installed grub on the harddrive.
/dev/sda2 as /root
dev/sda3 as /swap
/dev/sdb1 

Created an ext2 filesystem on /dev/sdb1
Create the root key on /dev/sdb1

dd if=/dev/urandom bs=512 count=4 | openssl aes256 -out root.key

Create encrypted swap and root

cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -d /dev/urandom create swap /dev/sda3
openssl aes256 -d -in root.key 2>/dev/null | cryptsetup -v --key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda2

Open encrypted devices

Format /boot /dev/mapper/root -- ext4 /dev/mapper/swap --swap
Select ext2 filesystem for/dev/sdb1 and set /sd as mountpoint

Select grub as boot loader. Select the base group. Add mkinitcpio.
Step 7 Configure System
Now I Opened another terminal and created /mnt/lib/initcpio/hooks/ssldec, /mnt/lib/initcpio/install/ssldec

/mnt/lib/initcpio/hooks/ssldec

# vim: set ft=sh:
run_hook ()
{
    local encfile decfile attempts prompt badpassword poweroffmsg dev arg1 arg2 retcode password

    if [ "x${ssldec}" != "x" ]; then
        encfile="/enc_keyfile.bin"
        decfile="/crypto_keyfile.bin"

        attempts="3"

        prompt="Enter password: "
        badpassword="Password incorrect"
        poweroffmsg="Try again later. Power off."

        dev="$(echo "${ssldec}" | cut -d: -f1)"
        arg1="$(echo "${ssldec}" | cut -d: -f2)"
        arg2="$(echo "${ssldec}" | cut -d: -f3)"

        if poll_device "${dev}" "${rootdelay}"; then
            case "${arg1}" in
                *[!0-9]*)
                    mkdir /mntkey
                    mount -r -t "${arg1}" "${dev}" /mntkey
                    dd if="/mntkey/${arg2}" of="${encfile}" >/dev/null 2>&1
                    umount /mntkey
                    rm -rf /mntkey
                    ;;
                *)
                    dd if="${dev}" of="${encfile}" bs=1 skip="${arg1}" count="${arg2}" >/dev/null 2>&1
                    ;;
            esac
        fi

        if [ -f "${encfile}" ]; then
            while true; do
                read -rsp "${prompt}" password
                openssl aes256 -pass pass:"${password}" -d -in "${encfile}" -out "${decfile}" >/dev/null 2>&1
                retcode="$?"
                if [ "${retcode}" != "0" ]; then
                    sleep 2
                    attempts=$(( ${attempts} - 1 ))
                    [ "${attempts}" == "0" ] && echo -e "\n${poweroffmsg}" && poweroff -f
                    echo -e "\n${badpassword}\n"
                else
                    break
                fi
            done

            rm -f "${encfile}"
        else
            echo "Encrypted keyfile could not be opened. Reverting to 'encrypt' hook."
        fi
    fi
} 

/mnt/lib/initcpio/install/ssldec

# vim: set ft=sh:

build ()
{
    MODULES=""
    FILES=""
    SCRIPT="ssldec"
    add_binary "/usr/bin/openssl"
}

help ()
{
cat<<HELPEOF
  This hook allows for an openssl (aes-256-cbc) encrypted keyfile for LUKS.
  It relies on standard 'encrypt' hook providing decrypted '/crypto_keyfile.bin' for it.
  The number of password input attempts is hard-coded (3 by default followed by poweroff).

  Kernel Parameters:
  Two options are supported:
  1) Using a file on the device:
     ssldec=<device>:<fs-type>:<path>
  2) Reading raw data from the block device:
     ssldec=<device>:<offset>:<size>
HELPEOF
}

Launched mkinitcpio
Edited hooks -- Adding before filesystems first encrypt and then ssldec

Installed bootloader to /dev/sda
kernel /vmlinuz-linux root=/dev/mapper/root cryptdevice=/dev/sda2:root cryptkey=/dev/sdb1:ext2:/root.key

Edited /mnt/etc/crypttab
swap    /dev/sda1    SWAP    -c aes-cbc-essiv:sha256 -s 256 -h whirlpool

Reboot and it doesn't boot
It seems to look at /dev/sdb1 and then "No key available with this passphrase."

jloomb

Member

Registered: 2012-05-18

Posts: 3

Re: System encryption using LUKS and Openssl keys on SD card

Hi.

Im trying to emplement something based on your method but also using lvm.

Could you please elaborate on "Open encrypted devices"........ I gather its something similar to cryptsetup luksOpen etc etc.

as I am already failing at this point "No key available with this passphrase" let alone making it to adding hooks and rebooting.

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,489

Re: System encryption using LUKS and Openssl keys on SD card

When I read your kernel line above I wonder if you have to add a kernel parameter for ssldec along with the encrypt one?
(see the "man mkinitcpio -H ssldec" info in the hook posted by you above).

Pieter-Jan

Member

Registered: 2011-11-20

Posts: 9

Re: System encryption using LUKS and Openssl keys on SD card

When I read your kernel line above I wonder if you have to add a kernel parameter for ssldec along with the encrypt one?
(see the "man mkinitcpio -H ssldec" info in the hook posted by you above).

Hi,
First of all, thanks for you reply

But I don't think it's the problem. This is what I found: "Put 'ssldec' hook in your "/etc/mkinitcpio.conf" before 'encrypt' and after 'usb'"
If you have any other suggestions, please let me know

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,489

Re: System encryption using LUKS and Openssl keys on SD card

But I don't think it's the problem. This is what I found: "Put 'ssldec' hook in your "/etc/mkinitcpio.conf" before 'encrypt' and after 'usb'"
If you have any other suggestions, please let me know

What's the "ssldec=<device>:<fs-type>:<path>" kernel parameter for then, that is supposed to pass the key through to encrypt hook? Did you use that parameter somewhere?

cng1024

Member

Registered: 2012-06-05

Posts: 3

Re: System encryption using LUKS and Openssl keys on SD card

The observation provided by Strike0 appears to be valid, as indicated by the ssldec help information. The hooks/ssldec script does not make use of a cryptkey variable, instead using an ssldec variable. I could be missing something, but it seems to me, that first if statement blocks any further action unless the ssldec variable exists and isn't empty.

Obviously, there could be more problems, but I'm fairly certain an ssldec kernel parameter is a requirement for this hook.

Pieter-Jan

Member

Registered: 2011-11-20

Posts: 9

Re: System encryption using LUKS and Openssl keys on SD card

But I don't think it's the problem. This is what I found: "Put 'ssldec' hook in your "/etc/mkinitcpio.conf" before 'encrypt' and after 'usb'"
If you have any other suggestions, please let me know

What's the "ssldec=<device>:<fs-type>:<path>" kernel parameter for then, that is supposed to pass the key through to encrypt hook? Did you use that parameter somewhere?

You're right. After exams and reinstallation. I looked again to this.
I have made a few changes, /dev/sdb1 is now a USB stick.
Here are /boot and the encrypted keys stored on.
Also /dev/sda is an encrypted home partition now.

The kernelparameter changes to: kernel /vmlinuz-linux root=/dev/mapper/root cryptdevice=/dev/sda2:root ssldec=/dev/sdb1:ext2:/root.key
Hooks order: ..., usb, usbinput, ssldec, encrypt, filesystem, ...
The encryption of the root partion works at the moment.

Right know I'm searching how to decrypt the /home partition with crypttab
I found this "Encrypted luks disk with a openssl-encrypted keyfile" on http://pwet.fr/man/linux/formats/crypttab but I don't understand the syntax fully right know

Last edited by Pieter-Jan (2012-06-25 20:21:56)