You are not logged in.

#1 2013-06-15 14:37:34

indivisualist
Member
From: Germany
Registered: 2013-01-29
Posts: 6

Installing two encrypted Linux systems plus SSH capability: How?

Currently I'm using a hardware-based full-disk encryption, but this makes it impossible to access my machine via SSH - the password has to be entered before the machine boots. So I thought about setting it up with dm-crypt and LUKS, but it is a little hard to understand ... wink
I do understand how encryption itself works, the differences between stacked and block device encryption, I already used Truecrypt in Windows etc., but I can't wrap my head around the Linux way. My goal is to have an encrypted machine with two seperate Linux distributions which are accessible via SSH.

There is a huuuuuge text in the ArchWiki about using dm-crypt with LUKS, but I still have some trouble figuring out the very basic concept. How do the different layers work? As far as I understood, there is the physical volume (/dev/sda). The encryption sets up on this - but I'm stuck here. Do I get encrypted partitions, such as /dev/sda1 and /dev/sda2?
Next, the boot partition has to be unencrypted. So can I "bundle" encrypted partitions to access two different Linux installations (e.g. Arch Linux and Debian) with two different passwords? Is the installation more or less the same as a regular installation?

To further clarify my problem: I think I can handle the three steps by themselves (dual-boot, encryption for one system, SSH at boot) - but not all of them combined.

Any hints would be appreciated - thanks!


Linux: the choice of a GNU generation.

Offline

#2 2013-06-16 02:00:14

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Installing two encrypted Linux systems plus SSH capability: How?

There are different ways to do it. Do you want two different passwords?

One way is to partition your disk, creating 2 or 3 partitions. One of these is /boot, one may be your EFI partition if you use UEFI to boot and want a separate ESP. The third is for your luks container. Then you put something on top of that e.g. LVM and create logical volumes within your container. This way you only need one password.

If you create, say, 5 partitions (/boot, EFI partition, Distro1, Distro2, swap, say) and then create LUKS containers on those, you will have 5 different containers to decrypt. (Or maybe 4 if you don't want access to Distro1 from Distro2, say.) This avoids the use of LVM but requires multiple passwords to be entered.

I can't comment on the use of ssh in this setup though I would quite like to know how to make it available. (But I'm interested in doing it on a Fedora box rather than my Arch machine so potentially irrelevant anyway.)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#3 2013-06-16 08:13:19

indivisualist
Member
From: Germany
Registered: 2013-01-29
Posts: 6

Re: Installing two encrypted Linux systems plus SSH capability: How?

Thank you, I think I got it now. After some more reading there seem to be different ways to use the encryption - I think I'll go the way you described first and set up a single, large LUKS container. Entering multiple passwords for multiple containers will be a little annoying in the long run ...

Just one more question: So I would have something like /boot, /efi, /distro1, /distro1swap, /distro1home and /distro2 as partitions inside a large encrypted volume and unlock them all at once with a single password? This sounds easy enough to do.
As already mentioned, currently I have one FDE password to unlock everything, but the system itself is not free respectively open source (TCPA architecture). I'd like to change that and add SSH, too. smile


Since you asked about the SSH setup: I'll have to try this in a virtual machine first, but the idea is to set up a small Dropbear SSH server which is available at initramfs and a small BusyBox shell. From there you can unlock and boot the "real" system.
Maybe I should write a small guide for Arch Linux if it works ... smile The concept should work on Fedora, too.

Last edited by indivisualist (2013-06-16 08:14:55)


Linux: the choice of a GNU generation.

Offline

#4 2013-06-16 14:29:50

Xyne
Administrator/PM
Registered: 2008-08-03
Posts: 6,963
Website

Re: Installing two encrypted Linux systems plus SSH capability: How?

What do you want to protect? If you only want to protect user data then perhaps Pam-mount would suit your needs. With it, you could create an encrypted device for a user that will be mounted automatically when you log in (normally and/or via SSH), and which will be unmounted automatically once you log out. I believe that similar setups can be achieved using ecryptfs or encfs with pam-mount as well, but I haven't looked at that in a while so I'm not entirely sure.

Of course, you can combine multiple layers of encryption. I would recommend using one large LVM partition as you have already described, but rather than encrypt the whole LVM partition with a single password, create the necessary system partitions (e.g. /, /var) and encrypt them separately. You can set a single password for the root partition and then use key files on that partition to decrypt e.g. /var, that way you only have to enter a password for /.

You can then ecrypt other partitions with user data and mount them as necessary with e.g. pam-mount as described above. Everything is thus protected when the system is off and only the necessary partitions (/ & /var) are exposed when the system is running with no users logged in. Sensitive data in other partitions will only be exposed as necessary when a user is logged in.

If you only encrypt the LUKS partition itself then everything is exposed once the system is running. If you add further encrypted virtual partitions on top of that then you have to deal with the overhead of multiple layers of encryption per virtual partition without any security advantage.


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#5 2013-06-16 15:06:49

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: Installing two encrypted Linux systems plus SSH capability: How?

Good idea to use pam-mount and separate /home in such a setup, I agree. Ecryptfs and encfs can both be used with pam-mount.
With an luks root, the approach you have to follow for ssh is described (briefly) here.

Offline

#6 2013-06-16 20:01:48

indivisualist
Member
From: Germany
Registered: 2013-01-29
Posts: 6

Re: Installing two encrypted Linux systems plus SSH capability: How?

I haven't heard about Pam mount yet, sounds great. smile But since I will be the only user on the system it isn't necessary to encrypt different home folders.
To answer the question what I want to protect - well, I need a full disk encryption to prevent unauthorized access to any stored files in the case of theft or snooping people. Strong encryption (if powered down) and a screensaver with a password will be enough for my needs, but just protecting the home directory isn't enough.

I know about full paranoia mode (i.e. carrying the bootloader on a USB key by oneself etc.), but that would be overkill ... wink


Linux: the choice of a GNU generation.

Offline

#7 2013-06-16 20:38:18

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Installing two encrypted Linux systems plus SSH capability: How?

In that case, you want /boot and your EFI partition outside the LUKS container. This is what I do and doesn't require having a USB key or whatever for boot.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

Board footer

Powered by FluxBB