You are not logged in.

#1 2010-05-12 01:13:50

Dissident85
Member
From: Sydney, Australia
Registered: 2010-01-15
Posts: 18

Fulldisk encryption with a gpg encrypted key?

Hi all, anyone know if it is possible to encrypt a root partition using a gpg encrypted key?

To create it and open it I would use something like this.

#dd if=/dev/urandom bs=512 count=4|gpg –symmetric –a > ./rootkey.gpg
#gpg --quiet --decrypt rootkey.gpg | cryptsetup -v --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3
#gpg --decrypt key.gpg 2>/dev/null | cryptsetup luksOpen /dev/sda3 root

which works, if i can manually enter the commands to decrypt the drive, but how would i do that at boot? i was reading a article on the gentoo wiki about creating custom scripts etc etc to handle it all. can something similar be applied in arch linux? if this is at all possible is there somewhere where i can find some documentation regarding doing this?

cheers.

Offline

#2 2010-05-12 15:55:21

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: Fulldisk encryption with a gpg encrypted key?

Script you want is the encrypt hook you get with the cryptsetup package /lib/initcpio/hooks/encrypt you can do your modifications there, or create a new hook based on it.


You need to install an RTFM interface.

Offline

#3 2010-05-13 00:45:07

Dissident85
Member
From: Sydney, Australia
Registered: 2010-01-15
Posts: 18

Re: Fulldisk encryption with a gpg encrypted key?

Thanks for the reply, modifying the script shouldn't be too hard. But I can see one small problem with only modifying that script. For this to work I would need to have GnuPG available at boot time. So do I just add BINARIES="/usr/bin/gpg" to mkinitcpio.conf when I install?

from what i understand this should do the trick?

Offline

#4 2010-05-13 00:50:41

Daenyth
Forum Fellow
From: Boston, MA
Registered: 2008-02-24
Posts: 1,244

Re: Fulldisk encryption with a gpg encrypted key?

You'll also need the libraries and any other files.

But what's wrong with using LUKS?

Offline

#5 2010-05-13 01:57:26

Dissident85
Member
From: Sydney, Australia
Registered: 2010-01-15
Posts: 18

Re: Fulldisk encryption with a gpg encrypted key?

Nothing wrong with using LUKS, and in a way I am still using LUKS but what I am doing here is having a key file encrypted using GnuPG and stored between the MBR and first partition. In my modified /lib/initcpio/hooks/encrypt script it will ask for the password for the keyfile to decrypt the root partition and if an incorrect password is entered more than say 3 times it will shred the keyfile making the root partition impossible to ever decrypt. For a backup for myself I will have a copy of the gpg encrypted key stored somewhere on the web.

So basically adding a whole new layer of security to the system. The more layers of security you can add the better.

I do know this is a little over board, but its more for the fun of doing it. In a strange sort of nerdy way smile

But back to what you were saying about the libraries? From the archlinux wiki

These options allow users to add files to the image. Both BINARIES and FILES are added before hooks are run, and may be used to override files used or provided by a hook. BINARIES are dependency-parsed, meaning any required libraries will also be added. FILES are added as-is. For example:

So I shouldn't have to worry about them.

Offline

#6 2010-05-13 02:57:32

JackH79
Member
From: Australia
Registered: 2009-06-18
Posts: 663
Website

Re: Fulldisk encryption with a gpg encrypted key?

It's probably a bit beside the point, but why not use TrueCrypt? http://www.truecrypt.org/

Offline

#7 2010-05-13 02:59:49

jwwolf
Member
Registered: 2009-06-29
Posts: 74

Re: Fulldisk encryption with a gpg encrypted key?

And what is wrong with using loop-aes?

Offline

#8 2010-05-13 03:52:24

Dissident85
Member
From: Sydney, Australia
Registered: 2010-01-15
Posts: 18

Re: Fulldisk encryption with a gpg encrypted key?

JackH79 wrote:

It's probably a bit beside the point, but why not use TrueCrypt? http://www.truecrypt.org/

As far as i know Truecrypt does not support full disk encryption in linux, only windows. Truecrypt is good when you want to encrypt that something that has to be decrypted cross platform. For example a usbkey.

jwwolf wrote:

And what is wrong with using loop-aes?

loop-aes isn't supported in mkinitcpio as yet. I think i could get it to work but i would have to build a custom hook, and that's a whole lot more work.

Offline

#9 2010-05-13 04:42:52

JackH79
Member
From: Australia
Registered: 2009-06-18
Posts: 663
Website

Re: Fulldisk encryption with a gpg encrypted key?

Dissident85 wrote:

As far as i know Truecrypt does not support full disk encryption in linux, only windows.

Well, I just tested it myself with an empty partition on my hard drive and it worked perfectly fine. It doesn't offer ext4 yet, but ext3 works.

Offline

#10 2010-05-13 05:10:35

Dissident85
Member
From: Sydney, Australia
Registered: 2010-01-15
Posts: 18

Re: Fulldisk encryption with a gpg encrypted key?

JackH79 wrote:

Well, I just tested it myself with an empty partition on my hard drive and it worked perfectly fine. It doesn't offer ext4 yet, but ext3 works.

Yes you can use Truecrypt to encrypt almost any-type of disk attached to you box, but to get the root disk encrypted, which is what i am trying to achieve, the problem is that the kernel doesn't know how to decrypt it, so it has to be done in early userspace, i may be wrong, but i would think you would need to create a custom hook, and include truecrypt in the initramfs, same problem as loop-aes i guess...

so the easy option is to just slightly modify what arch linux already has, and which has been thoroughly tested...

Offline

#11 2010-05-13 06:00:13

JackH79
Member
From: Australia
Registered: 2009-06-18
Posts: 663
Website

Re: Fulldisk encryption with a gpg encrypted key?

Ah, yes. You are right. Done some research but couldn't find any "out-of-the-box" solution for Linux for your particular problem. Weird.

You might find this entry interesting though: http://wiki.archlinux.org/index.php/LUKS

or a very detailed entry from the Gentoo wiki: http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS

Hope it helps

Offline

#12 2010-05-14 05:00:56

jwwolf
Member
Registered: 2009-06-29
Posts: 74

Re: Fulldisk encryption with a gpg encrypted key?

JackH79 wrote:
jwwolf wrote:

And what is wrong with using loop-aes?

loop-aes isn't supported in mkinitcpio as yet. I think i could get it to work but i would have to build a custom hook, and that's a whole lot more work.

Read Example 5 and here

Offline

Board footer

Powered by FluxBB