LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Encrypted File system issues (https://www.linuxquestions.org/questions/linux-security-4/encrypted-file-system-issues-4175422173/)

daviddbb 08-15-2012 06:00 AM
Encrypted File system issues
 
Hello ,
I recently installed Centos 6.2 , during the installation I used the installer Disk Manager to create '/' as encrypted file system.
Now by default , every time the system reboots I have to insert the password for opening the encrypted file system.
The problem is after I created a pass file for automatic opening of the encrypted file system , Its still askes for the password.

================
Code:
cryptsetup luksDump /dev/sda3
LUKS header information for /dev/sda3

Version:              1
Cipher name:          aes
Cipher mode:          xts-plain64
Hash spec:            sha1
Payload offset:        4096
MK bits:              512
MK digest:            71 e7 f2 6a 3f ab 60 35 33 99 fe 9c 6c cc 23 af 07 15 83 87
MK salt:              c4 a2 d4 57 53 6a 8e b3 fd 97 a7 5d f7 aa a8 9c
                      d6 b7 8d 06 71 7a b7 a1 e0 ff 9d de 58 41 12 13
MK iterations:        48125
UUID:                  f2f4364c-f74f-4f18-92ce-0a3c84c406e7

Key Slot 0: ENABLED
        Iterations:                187612
        Salt:                      33 60 ff 8a 2d f1 fd 61 b3 36 32 8a 23 31 bb 6b
                                      14 a2 28 4d 4a 9c fb f3 93 03 b8 d1 b8 a2 1e 13
        Key material offset:        8
        AF stripes:                    4000
Key Slot 1: ENABLED
        Iterations:                190629
        Salt:                      69 1f 60 54 96 e9 f3 a2 ec 9b 94 00 9e fd c0 0c
                                      43 0e 3b 86 91 0f a1 bc 00 c7 d8 74 ad 08 55 23
        Key material offset:        512
        AF stripes:                    4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
================
Code:
[root@crypted ~]# cryptsetup isLuks /dev/sda3
[root@crypted ~]# mount
/dev/mapper/luks-f2f4364c-f74f-4f18-92ce-0a3c84c406e7 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda1 on /boot type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw
================
This is the crypttab:
Code:
================
luks-f2f4364c-f74f-4f18-92ce-0a3c84c406e7 UUID=f2f4364c-f74f-4f18-92ce-0a3c84c406e7 /root/passfile
================
both of the key slots are key-files , but after the boot seems like the system ignores it and all-ways asking for a password entry
I wonder if I missed something

this is grub.conf
Code:
================
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-279.5.1.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-279.5.1.el6.x86_64 ro root=/dev/mapper/luks-f2f4364c-f74f-4f18-92ce-0a3c84c406e7 rd_LUKS_UUID=luks-f2f4364c-f74f-4f18-92ce-0a3c84c406e7 rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
        initrd /initramfs-2.6.32-279.5.1.el6.x86_64.img
================
Please advice me :)

shm0 08-16-2012 06:44 AM
According to this document, if you are encrypting the root partition, you should leave at least 1 other partition un-encrypted. That would be the /boot partition which includes the grub.conf file. Check the section with the title: Encrypted root filesystem.

daviddbb 08-16-2012 07:12 AM
I know that , but /boot is not encrypted
Quote:
/dev/sda1 194M 66M 118M 36% /boot
Quote:
[root@crypted ~]# cryptsetup isLuks /dev/sda1
Device /dev/sda1 is not a valid LUKS device.

Quantumstate 08-16-2012 04:14 PM
Well if you have the encrypted part in fstab set to auto mount, and it asks for the password on boot, then it shouldn't ask again.

shm0 08-16-2012 04:28 PM
daviddbb: You kept the passfile under /root. By the time you boot your server the whole / partition is encrypted, including the passfile. You should keep it under /boot instead.

NyteOwl 08-18-2012 01:46 PM
As indicated, if cryptab is on / rather than boot it isn't available until after / is decrypted.

Keeping the key-file in the unecrypted /boot partition on the same system basically makes the encryption pointless as anyone can then access the encrypted partitions. A better way it to store the key-file on a USB keydrive or CD/DVD that is accessible to be read by the system at boot time and can be removed and kept separate otherwise.


All times are GMT -5. The time now is 12:29 PM.