You are not logged in.

#26 2013-01-13 02:07:58

Deth
Member
Registered: 2012-10-18
Posts: 5

Re: System encryption using LUKS and GPG encrypted keys for arch linux

fabriceb, you have mistake in 9th and 10th entry, there should be "--key-file=-", not "–key-file=-"

Also your hooks don`t work for me (does it work for you if you just copy them from 1st post?), so I modified it a bit:
https://pastee.org/ma3pg - hooks/etwo
https://pastee.org/cwgbf - install/etwo

Then I think it`s worth trying to use detached header (so the main device is just random data, no header)
https://code.google.com/p/cryptsetup/wiki/Cryptsetup140
https://bbs.archlinux.org/viewtopic.php?id=138163

I`ll try to add that functionality in near future, so if you are already familiar with it, you are welcome to advise.

Offline

#27 2013-01-13 15:16:25

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

Deth wrote:

fabriceb, you have mistake in 9th and 10th entry, there should be "--key-file=-", not "–key-file=-"

I'm sorry but I can't find the mistake.

Also your hooks don`t work for me (does it work for you if you just copy them from 1st post?), so I modified it a bit:
https://pastee.org/ma3pg - hooks/etwo
https://pastee.org/cwgbf - install/etwo

Thanks, I've updated the original post.

Then I think it`s worth trying to use detached header (so the main device is just random data, no header)
https://code.google.com/p/cryptsetup/wiki/Cryptsetup140
https://bbs.archlinux.org/viewtopic.php?id=138163

I`ll try to add that functionality in near future, so if you are already familiar with it, you are welcome to advise.

Cool, that would be interesting. I didn't know about that feature.

Offline

#28 2013-01-13 16:11:10

olaf.the.lost.viking
Member
Registered: 2011-07-19
Posts: 21

Re: System encryption using LUKS and GPG encrypted keys for arch linux

fabriceb wrote:

Cool, that would be interesting. I didn't know about that feature.

Indeed! Having this header on the external USB-device sounds like a great idea. Is it really possible to mimic an ext4-fs on it? Or will it simply be an "unformatted", empty partition?

If the header would also be openssl-encrypted that would be nice. If reusing the password of the keyfile is too hard, the keyfile and the header could be put into a simple cpio/tar/... archive that is encrypted with openssl.


I switched to OlafLostViking to match the IRC alias.

Offline

#29 2013-01-14 17:31:24

Deth
Member
Registered: 2012-10-18
Posts: 5

Re: System encryption using LUKS and GPG encrypted keys for arch linux

fabriceb wrote:
Deth wrote:

fabriceb, you have mistake in 9th and 10th entry, there should be "--key-file=-", not "–key-file=-"

I'm sorry but I can't find the mistake.

Here
gpg -q -d root.gpg 2>/dev/null | cryptsetup -v –key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3

And similar. There must be 2 preceding en dashes, you have only one in "key-file" parameter.

Offline

#30 2013-01-14 18:13:21

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

Here
gpg -q -d root.gpg 2>/dev/null | cryptsetup -v –key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3

Right. Fixed.

Offline

#31 2013-01-18 05:04:05

solar
Member
Registered: 2011-03-01
Posts: 77

Re: System encryption using LUKS and GPG encrypted keys for arch linux

Deth wrote:
fabriceb wrote:
Deth wrote:

fabriceb, you have mistake in 9th and 10th entry, there should be "--key-file=-", not "–key-file=-"

I'm sorry but I can't find the mistake.

Here
gpg -q -d root.gpg 2>/dev/null | cryptsetup -v –key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3

And similar. There must be 2 preceding en dashes, you have only one in "key-file" parameter.

Actually, being a bit dim as you are Deth... he does specify two hyphens, easily compared when looking at -v before --keyfile.

What you should have posted is:

Note to other users.. sometimes formatting can make the two hyphens seem as one when copying and pasting.

This is not always unusual when copying "" say from sites, etc.


I am hilariously insane. yup. you won't notice though.. I promise...I think.

Offline

#32 2013-01-18 17:18:02

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

Solar, he was right, I fixed it in the original post.

Offline

#33 2013-01-21 05:01:28

airbus001
Member
Registered: 2011-09-29
Posts: 17

Re: System encryption using LUKS and GPG encrypted keys for arch linux

Hello,

I have a LUKS encrypted LVM partition, that contains all of my partitions except for a separate boot partition and am now unable to decrypt my root partition on boot. I am using the ssldec hook. Here are my current important file that I modified by chroot-ing in:
/etc/mkinitcpio.conf

MODULES: "vfat hid_generic usbhid ext4"
HOOKS: "base udev autodetect block usbinput ssldec encrypt lvm2 resume filesystem fsck"

/etc/default/grub:

GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
#GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet add_efi_memmap"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root root=/dev/mapper/lvm-root ro ssldec=/dev/disk/by-uuid/XXXX-XXXX:vfat:/keyfile resume=/dev/mapper/lvm-swap"

/lib/initcpio/install/ssldec:

build ()
{
    add_binary /usr/bin/openssl
    add_runscript
}

help ()
{
cat<<HELPEOF
  This hook allows for an openssl (aes-256-cbc) encrypted keyfile for LUKS.
  It relies on standard 'encrypt' hook providing decrypted '/crypto_keyfile.bin' for it.
  The number of password input attempts is hard-coded (3 by default followed by poweroff).

  Kernel Parameters:
  Two options are supported:
  1) Using a file on the device:
     ssldec=<device>:<fs-type>:<path>
  2) Reading raw data from the block device:
     ssldec=<device>:<offset>:<size>
HELPEOF
}

/lib/initcpio/hooks/ssldec

run_hook ()
{
    local encfile decfile attempts prompt badpassword poweroffmsg dev arg1 arg2 retcode password

    if [ "x${ssldec}" != "x" ]; then
        encfile="/enc_keyfile.bin"
        decfile="/crypto_keyfile.bin"

        attempts="3"

        prompt="Enter password: "
        badpassword="Password incorrect"
        poweroffmsg="Try again later. Power off."

        dev="$(echo "${ssldec}" | cut -d: -f1)"
        arg1="$(echo "${ssldec}" | cut -d: -f2)"
        arg2="$(echo "${ssldec}" | cut -d: -f3)"

        if poll_device "${dev}" "${rootdelay}"; then
            case "${arg1}" in
                *[!0-9]*)
                    mkdir /mntkey
                    mount -r -t "${arg1}" "${dev}" /mntkey
                    dd if="/mntkey/${arg2}" of="${encfile}" >/dev/null 2>&1
                    umount /mntkey
                    rm -rf /mntkey
                    ;;
                *)
                    dd if="${dev}" of="${encfile}" bs=1 skip="${arg1}" count="${arg2}" >/dev/null 2>&1
                    ;;
            esac
        fi

        if [ -f "${encfile}" ]; then
            while true; do
                read -rsp "${prompt}" password
                openssl aes256 -pass pass:"${password}" -d -in "${encfile}" -out "${decfile}" >/dev/null 2>&1
                retcode="$?"
                if [ "${retcode}" != "0" ]; then
                    sleep 2
                    attempts=$(( ${attempts} - 1 ))
                    [ "${attempts}" == "0" ] && echo -e "\n${poweroffmsg}" && poweroff -f
                    echo -e "\n${badpassword}\n"
                else
                    break
                fi
            done

            rm -f "${encfile}"
        else
            echo "Encrypted keyfile could not be opened. Reverting to 'encrypt' hook."
        fi
    fi
}

I followed peoples advice to add 'add_runscript' below 'add_binary' in the build() function of the the /lib/initcpio/install/ssldec file. That fixed the hook but then I was unable to actually enter my password on the keyboard, as compared to before I fixed the hook it would go the encrypt hook and the keyboard would work. Somehow changing by changing one thing at a time I have completely wrecked my system.

The ssldec hook now says:

Encrypted Keyfile could not be opened. 

And when it gets turned over to the encrypt hook:

No volume groups found.
Error: resume: hibernation device '/'dev/mapper/lvm-swap' not found
Error: device '/dev/mapper/lvm-root' not found. Skipping fsck
Error: unable to find root device '/dev/mapper/lvm-root
Dropped to recover shell ...

In the recovery shell I can not type anything.

I thought I may have by accident replaced systemv with systemd:

# pacman -Qqe | grep systemd 
returns nothing

but

# pacman -Qq | grep systemd
systemd

I now have no idea what to do; I wrote this part of the LUKS wiki article btw.

Thanks,
airbus

Last edited by airbus001 (2013-01-21 05:13:40)

Offline

#34 2013-01-21 16:59:01

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

Hey airbus. I would guess that the install hook script is missing some stuff. Since I posted the original post, I've switched to a custom hook that uses openssl too. Here's my /usr/lib/initcpio/install/ script:

#!/bin/bash

build ()
{
    local mod

    add_module dm-crypt
    if [[ $CRYPTO_MODULES ]]; then
        for mod in $CRYPTO_MODULES; do
            add_module "$mod"
        done
    else
        add_all_modules '/crypto/'
    fi

    add_dir "/dev/mapper"
    add_binary "cryptsetup"
    add_binary "openssl"
    add_binary "dmsetup"
    add_file "/usr/lib/udev/rules.d/10-dm.rules"
    add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
    add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
    add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"

    add_runscript
}

help ()
{
cat<<HELPEOF
  This hook allows for an encrypted root device with support for openssl encrypted key files.
HELPEOF
}

Offline

#35 2013-01-21 23:57:30

airbus001
Member
Registered: 2011-09-29
Posts: 17

Re: System encryption using LUKS and GPG encrypted keys for arch linux

Hello Fabrice,

Thank You for install part of the hook, now my keyboard works; however the ssldec still does not work for me. Is it possible for you to send me the actual hook?

Thanks,
airbus

Offline

#36 2013-01-22 15:30:34

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

airbus, sure. But keep in mind that I wrote this for myself, so it's not very flexible. The key has to be a file stored on the external device and must be aes-256-cbc encrypted, encoded in base64.
The corresponding grub (0.97) kernel line would be:

kernel /vmlinuz-linux root=/dev/mapper/root cryptdevice=/dev/sdX1:root cryptkey=/dev/sdY1:ext2:/keys/root.openssl.aes-256-cbc.base64 ro

...where /dev/sdX1 would be the encrypted partition and /dev/sdY1 would be the partition on the external device. Adapting this to use uuid should be possible. If you do, feel free to post your hook here.

Hope it helps.

run_hook ()
{
    modprobe -a -q dm-crypt >/dev/null 2>&1
    if [ -e "/sys/class/misc/device-mapper" ]; then
        if [ ! -e "/dev/mapper/control" ]; then
            /bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
        fi
        [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"

        # Get keyfile if specified
        keyfile="/key.enc"
        if [ "x${cryptkey}" != "x" ]; then
            key_dev="$(echo "${cryptkey}" | cut -d: -f1)"
            key_fs="$(echo "${cryptkey}" | cut -d: -f2)"
            key_path="$(echo "${cryptkey}" | cut -d: -f3)"
            if poll_device "${key_dev}" ${rootdelay}; then
                # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
                mkdir /ckey
                mount -r -t ${key_fs} ${key_dev} /ckey
                dd if=/ckey/${key_path} of=${keyfile} >/dev/null 2>&1
                umount /ckey
            fi
            [ ! -f ${keyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
        fi
        if [ -n "${cryptdevice}" ]; then
            DEPRECATED_CRYPT=0
            cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
            cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
        else
            DEPRECATED_CRYPT=1
            cryptdev="${root}"
            cryptname="root"
        fi

        warn_deprecated() {
            echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
            echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
        }

        if  poll_device "${cryptdev}" ${rootdelay}; then
            if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
                [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
                dopassphrase=1
                # If keyfile exists, try to use that
                if [ -f ${keyfile} ]; then
                    while [ ! -e /dev/mapper/${cryptname} ];
                    do
                        sleep 2
                        /usr/bin/openssl aes-256-cbc -a -d -in "${keyfile}" | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET}
                        dopassphrase=0
                    done
                fi
                # Ask for a passphrase
                if [ ${dopassphrase} -gt 0 ]; then
                    echo ""
                    echo "A password is required to access the ${cryptname} volume:"

                    #loop until we get a real password
                    while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
                        sleep 2;
                    done
                fi
                if [ -e "/dev/mapper/${cryptname}" ]; then
                    if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
                        export root="/dev/mapper/root"
                    fi
                else
                    err "Password succeeded, but ${cryptname} creation failed, aborting..."
                    exit 1
                fi
            elif [ -n "${crypto}" ]; then
                [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
                msg "Non-LUKS encrypted device found..."
                if [ $# -ne 5 ]; then
                    err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
                    err "Non-LUKS decryption not attempted..."
                    return 1
                fi
                exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
                tmp=$(echo "${crypto}" | cut -d: -f1)
                [ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
                tmp=$(echo "${crypto}" | cut -d: -f2)
                [ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
                tmp=$(echo "${crypto}" | cut -d: -f3)
                [ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
                tmp=$(echo "${crypto}" | cut -d: -f4)
                [ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
                tmp=$(echo "${crypto}" | cut -d: -f5)
                [ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
                if [ -f ${ckeyfile} ]; then
                    exe="${exe} --key-file ${ckeyfile}"
                else
                    exe="${exe} --verify-passphrase"
                    echo ""
                    echo "A password is required to access the ${cryptname} volume:"
                fi
                eval "${exe} ${CSQUIET}"

                if [ $? -ne 0 ]; then
                    err "Non-LUKS device decryption failed. verify format: "
                    err "      crypto=hash:cipher:keysize:offset:skip"
                    exit 1
                fi
                if [ -e "/dev/mapper/${cryptname}" ]; then
                    if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
                        export root="/dev/mapper/root"
                    fi
                else
                    err "Password succeeded, but ${cryptname} creation failed, aborting..."
                    exit 1
                fi
            else
                err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
            fi
        fi
        rm -f ${ckeyfile}
    fi
}

Offline

#37 2013-05-27 21:08:36

devnull
Member
Registered: 2013-05-27
Posts: 2

Re: System encryption using LUKS and GPG encrypted keys for arch linux

HI Fabriceb,

I was trying to follow your guides here on newest Arch install (2013.05.01). I was wondering whether you can donate some time by running your guides on this version and update this guide for us.

I am still new to Arch and get lost a bit. It would be highly appreciated if you have some time in keeping this guide updated often if you still can make out some free time.

Thanks in advance.
Peng

Last edited by devnull (2013-05-27 21:12:11)

Offline

#38 2017-04-26 17:16:02

OlafLostViking
Member
From: Lost
Registered: 2013-01-30
Posts: 58

Re: System encryption using LUKS and GPG encrypted keys for arch linux

Today, my system failed to boot using these scripts. Since I was on the road, I debugged and solved it in a hackish way. But in case anybody else here has the same problems:

The last update to openssl 1.1 breaks the decryption of the key (which won't be shown by default as the error message is redirected). To get it working again at least for now, boot and mount your system with the Arch CD (it still includes openssl 1.0) and then add "openssl-1.0" into the BINARIES variable of mkinitpcio.conf and change the call to openssl in the ssldec hook to openssl-1.0. After rebuilding the initrd you'll have both openssls in your initramdisk and can get back into your system again.

Offline

Board footer

Powered by FluxBB