LUKS

Aus Neobikers Wiki
Zur Navigation springen Zur Suche springen

Konfiguration

Der XEN-Host sucht das LUKS Passwort des Root-Filesystems (sdf3_crypt) im Bootprozess per Skript keyscripts.sh auf mehreren USB-Sticks. Die Schlüssel der weiteren Partitionen (sd[ae]7_crypt) und RAID Devices (md2_crypt) kann er dann aus seinem verschlüsselten Filesystem direkt lesen. Eine Sicherheitskopie des Root-Filesystems liegt im RAID Device md3_crypt, sodass dieses Passwort im Notfall ebenfalls per Skript gelesen werden muss.

File: /etc/crypttab

# <target name> <source device>                 <key file>      <options>
sdf3_crypt UUID=d790d85a-15c0-441d-a7ed-6774f28a7617 none luks,discard,tries=3,keyscript=/etc/cryptkey/keyscript.sh,x-initrd.attach

md3_crypt  UUID=e1995323-e3fc-46fd-ac29-bb2132aa2e38 none luks,initramfs,tries=3,keyscript=/etc/cryptkey/keyscript.sh,x-initrd.attach

md2_crypt  UUID=d82e8e06-2250-4d47-be5a-6b48d97ebcb8 /etc/cryptkey/usb.FSC_MEMORYBIRD luks,tries=3
sda7_crypt UUID=8b00a3ca-b3e4-40b9-bc78-2a0b08996171 /etc/cryptkey/usb.FSC_MEMORYBIRD luks,tries=3
sde7_crypt UUID=26b27262-44b0-40d1-b4d9-8b67a7d020fe /etc/cryptkey/usb.FSC_MEMORYBIRD luks,tries=3

#FreeDesktop Agent USB 500G
usb_crypt  UUID=b7c276db-3442-4754-8780-05059bbebb1a none luks,tries=3,noauto,keyscript=/etc/cryptkey/keyscript.sh

Skript

Skript welches das LUKS Passwort auf mehreren USB-Sticks sucht.

/etc/cryptkey/keyscripts.sh

#!/bin/sh
# by neobiker (2020-04)
#
KEYDEVICE_MODULES="usb_storage"

# list where LUKS looks for keys (the 1.st found will be taken by keyscript.sh)
# as listed in /dev/disk/by-id/
key1=/dev/disk/by-id/usb-FSC_Memorybird_P_10003446F7000109-0:0
key2=/dev/disk/by-id/usb-LEXAR_DIGITAL_FILM_0301190000000297886800000000000-0:0
key3=
key4=
key5=
key6=
key7=
key8=

KEYDEVICES="$key1 $key2 $key3 $key4 $key5 $key6 $key7 $key8"

KEYDEVICE_BLOCKSIZE="512"
KEYDEVICE_SKIPBLOCKS="1"
KEYDEVICE_READBLOCKS="4"

for module in $KEYDEVICE_MODULES; do
        cat /proc/modules | grep -q $module && continue
        modprobe $module >/dev/null 2>&1
        sleep 3
done

keynr=-1
for KEYDEVICE in $KEYDEVICES; do
        if [ -e $KEYDEVICE ]; then
                keynr=$(( $keynr + 1 ))
                if [ "0$CRYPTTAB_TRIED" -gt "$keynr" ]; then
                        echo "CryptKeydevice NO_KEY: $KEYDEVICE" >&2
                        continue
                fi
                dd if=$KEYDEVICE bs=$KEYDEVICE_BLOCKSIZE skip=$KEYDEVICE_SKIPBLOCKS count=$KEYDEVICE_READBLOCKS 2>/dev/null && break
        fi
done