Lab 10.2 Solution
I had problems getting the solution for Lab 10.2 to work on Ubuntu 14.04 (discussed below). I found a solution that works (http://askubuntu.com/questions/463661/encrypted-swap-partition-for-14-04).
However, somewhat annoyingly the volume /dev/sda6/ disapears from the output of sudo blkid after rebooting. Consequently, I have not been able to use a UUID to make identifying the physical device at boot more robust than /dev/sda6. This seems to be contrary to the manpage which says "...Instead of giving the source device explicitly, the UUID is supported as well, using UUID=..." (See Diagnostic Information A).
Incompatible cryptsetup command and /etc/crypttab entry in Lab 10.2 Solution?:
The cryptsetup command seems incomptible with the /etc/crypttab entry because cryptsetup prompts for a passphrase. Whereas the /etc/crypttab entry uses /dev/urandom for its key file (See Diagnostic information . If you compare the cryptsetup commands from 'Lab 10.2 Solution:'
$ sudo cryptsetup luksFormat /dev/sda11 # may use --ciper aes option
$ sudo cryptsetup luksOpen /dev/sda11 swapcrypt
and
:~$ sudo cryptsetup -d /dev/urandom create cryptswap /dev/sda6
:~$ sudo mkswap -f /dev/mapper/cryptswap -v1
(from: (http://askubuntu.com/questions/463661/encrypted-swap-partition-for-14-04))
I would suggest this is why the encrypted swap partition was not ready after reboot in the Lab 10.2 Solution.
So to summarise my questions are:
1. If the /dev/sda6 disapears from sudo blkid output after reboot how may I identify and mount the device with a more robust method such as UUID=?
2. If you are going to use the /dev/urandom method of encryption is it necessary to specify it both within the cryptsetup command and the /etc/crypttab command?
As usual I expect I have misunderstood some aspect/s so I thank you in advance for making the effort to set me straight.
Diagnostic information A:
:~$ sudo blkid # before reboot
[sudo] password for thebiz:
/dev/sda1: LABEL="Win7" UUID="FAEEAD46EEACFBCF" TYPE="ntfs"
/dev/sda2: UUID="123EABF73EABD251" TYPE="ntfs"
/dev/sda4: LABEL="LENOVO_PART" UUID="32588AD8588A9A6D" TYPE="ntfs"
/dev/sda5: LABEL="Ubuntu" UUID="0288dc9a-30c5-4a83-ace9-c8c93318a798" TYPE="ext4"
/dev/sda6: UUID="ad5d344a-f00a-4bbe-92ba-2f9d1e393799" TYPE="swap"
/dev/sda7: LABEL="CentOS" UUID="722a724d-9bdb-4e6b-b7c0-4e7a22e24380" TYPE="ext4"
/dev/sda8: UUID="8528880f-a0d6-4e5a-8f59-a445f72d8863" TYPE="swap"
/dev/sda9: LABEL="OpenSUSE" UUID="7cf9c051-88ce-4d17-905c-d39d2c58c415" UUID_SUB="3d3fdd6b-5511-41fe-ac5e-fbb6f4a2d7b1" TYPE="btrfs"
/dev/sda10: UUID="cad1d000-7ecd-453d-bb3e-c28790d85bee" TYPE="swap"
/dev/sda11: UUID="6d721972-8566-409e-b796-c1429d7670b0" TYPE="crypto_LUKS"
/dev/sdb1: LABEL="mydocuments" UUID="0AAACA9649E772A8" TYPE="ntfs"
/dev/sdb2: UUID="697d8f2a-4d77-4a4c-b48a-a90a525e31b1" TYPE="ext4"
/dev/mapper/secret-disk: UUID="a6fca341-8e25-463b-8e67-7b6a1fdc82c7" TYPE="ext4"
:~$ sudo swapoff -a
:~$ sudo cryptsetup -d /dev/urandom create cryptswap /dev/sda6
:~$ sudo mkswap -f /dev/mapper/cryptswap -v1
:~$ sudo reboot
:~$ sudo blkid # after reboot
[sudo] password for thebiz:
/dev/sda1: LABEL="Win7" UUID="FAEEAD46EEACFBCF" TYPE="ntfs"
/dev/sda2: UUID="123EABF73EABD251" TYPE="ntfs"
/dev/sda4: LABEL="LENOVO_PART" UUID="32588AD8588A9A6D" TYPE="ntfs"
/dev/sda5: LABEL="Ubuntu" UUID="0288dc9a-30c5-4a83-ace9-c8c93318a798" TYPE="ext4"
/dev/sda7: LABEL="CentOS" UUID="722a724d-9bdb-4e6b-b7c0-4e7a22e24380" TYPE="ext4"
/dev/sda8: UUID="8528880f-a0d6-4e5a-8f59-a445f72d8863" TYPE="swap"
/dev/sda9: LABEL="OpenSUSE" UUID="7cf9c051-88ce-4d17-905c-d39d2c58c415" UUID_SUB="3d3fdd6b-5511-41fe-ac5e-fbb6f4a2d7b1" TYPE="btrfs"
/dev/sda10: UUID="cad1d000-7ecd-453d-bb3e-c28790d85bee" TYPE="swap"
/dev/sda11: UUID="6d721972-8566-409e-b796-c1429d7670b0" TYPE="crypto_LUKS"
/dev/sdb1: LABEL="mydocuments" UUID="0AAACA9649E772A8" TYPE="ntfs"
/dev/sdb2: UUID="697d8f2a-4d77-4a4c-b48a-a90a525e31b1" TYPE="ext4"
/dev/mapper/secret-disk: UUID="a6fca341-8e25-463b-8e67-7b6a1fdc82c7" TYPE="ext4"
Diagnostic information B:
thebiz@thebizbot:~$ sudo cryptsetup luksFormat /dev/sda6
WARNING!
========
This will overwrite data on /dev/sda6 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
thebiz@thebizbot:~$ cat /etc/crypttab
swapcrypt /dev/sda11 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
secret-disk UUID=6d721972-8566-409e-b796-c1429d7670b0 none luks
Comments
-
I can't answer your specific questions, but when I was working through this lab I made a note that the fstab entry in step 5.b) was incorrect. As per the fstab man page:
The second field (fs_file).
This field describes the mount point for the filesystem. For
swap partitions, this field should be specified as `none'. If
the name of the mount point contains spaces these can be escaped
as `\040'.
So, the line should be:
/dev/mapper/swap none swap defaults 0 0
not
/dev/mapper/swap swapcrypt swap defaults 0 0
Thanks,
Adam
0 -
Hi Adam,
Thanks for your useful input. I had not noticed the problematic fstab entry.
Tomorrow, I shall test your fstab entry with the Lab 10.2 Solution.
Thereafter, I should be able to answer my second question independently.
Have a nice weekend!
Thanks,
John0 -
This is a red herring. You don't have to say "none"; the field
is ignored, you could substitute "adam" for none. It just indicates
a filesystem which does not have a real device node, a pseudo-filesystem0 -
Some more intriguing but nonetheless inconclusive diagnostics that leaves me pulling out more of my hair:
:~$ sudo cryptsetup luksUUID /dev/sda11
6d721972-8566-409e-b796-c1429d7670b0
...Returns the UUID of my encrypted secret partition.
:~$ cat /etc/crypttab
cryptswap /dev/sda6 /dev/urandom swap
secret-disk UUID=6d721972-8566-409e-b796-c1429d7670b0 none luks
... Shows the UUID of secret-disk & the declaration of /dev/sda6 as the source for swap.
:~$ cat /proc/swaps
Filename Type Size Used Priority
/dev/dm-0 partition 2097148 0 -1
... Shows that swap is active.
thebiz@thebizbot:~$ sudo cryptsetup luksUUID /dev/sda6
Device /dev/sda6 is not a valid LUKS device.
BUT!!!! /dev/sda6 is not valid???!!!
Thanks and have a nice weekend.0 -
Hi,
I've got a LUKS encrypted partition persistently working across reboot. Its a partial solution since I have been unable to get /dev/random to work so it works with a fixed passphrase prompted at boot. I also have it working with UUID= which is advantageous since my internal HDD and USB HDD are identical disk models so frequently exchange identities (sdaXX or sdbXX).
According to the crypttab manpage; "The third field, key file,...It can also be a device name (e.g. /dev/urandom), note however that LUKS requires a persistent key and therefore does not support random data keys" - Suggesting that random keys may not be supported.
Since, the 10.2 instructions work up until reboot I followed all instructions from the 10.2 Lab Solution but used the following following fstab and crypttab entries:
/etc/crypttab
swapcrypt UUID=aac8a921-c931-4ad6-ae9f-fda79dee00bf none luks
/etc/fstab
/dev/mapper/swapcrypt none swap defaults 0 0
The alternative solution I proposed at the beginning of this thread is not a valid solution. While it appears to start an encrypted swap partition it is not a LUKS encrypted partition and seems to do something questionable with the disk partition itself since it becomes invisible to sudo blkid.0 -
I've been playing around trying to figure out the relationship between /dev/urandom vs none in the third field and swap vs luks in the fourth field. Based on the information in the crypttab man pages on both Ubuntu 14.04 and CentOS 7 (they differ slightly but don't contradict each other) I've discovered that a crypttab entry of:
swapcrypt /dev/sdb1 /dev/urandom swap
will create a plain (not LUKS) encrypted swap file that is mounted at boot without prompting for a password. This would seem to be most useful on a server which may have to be rebooted remotely. The only caveat is that a UUID cannot be used since the swap keyword causes mkswap to be run on each reboot which changes the UUID. This drive does not have to be prepared with cryptsetup. In fact, I had to remove the LUKS signature using wipefs to get this to work.
Next on my list is to try to get the --key-file keyword working in order to mount arbitrary LUKS encrypted drives at boot without being prompted for a password. There's a lot of chatter about how to do this on the internet but none of it has worked for me so far. If anyone can point me in the right direction it would be appreciated.
Thanks,
Adam
0 -
Hi Adam,
Just a thought but since the swap partition is used for system resume having a random key passphrase might not be a very good idea since it could lead to unforeseen consequences? A frequently changed passphrase in a file might be a safer secure proposition in the long term.
Cheers,
John0 -
I hadn't considered that. The system I want to secure is my server and it never sleeps/suspends. It just sometimes has to be rebooted. I want to be able to reboot it without having to be at the physical console.
In the meantime, I figured out how to use a keyfile with cryptsetup. That lets me use LUKS to encrypt and a UUID to identify the device and have it mount without prompting at boot. The crypttab entry is:
swapcrypt UUID=39fbce50-9a0f-41e7-9cfd-0b8c2fa5a963 /root/swapcrypt.keyfile luks
The UUID is not the UUID of the swap filesystem given by mkswap but the LUKS UUID obtained with:
sudo cryptsetup luksUUID /dev/sdb1
The keyfile had to be added with:
sudo cryptsetup luksAddKey /dev/sdb1 /root/swapcrypt.keyfile
I made swapcrypt.keyfile only readable by root but I'm not sure how secure this really is. If someone removes the hard drive from my server and mounts it on another system, I think they'll be able to read the password and mount the encrypted volumes. Am I missing something?
Thanks,
Adam
0 -
Hi Adam,
I would imagine that the LUKS developers removed random key support because of the lock out risk particularly with the resume function. I think ensuring the physical security of your server is the better bet. I'd love to hear Jerry's comments on the subject.
Cheers,
John0
Categories
- All Categories
- 227 LFX Mentorship
- 227 LFX Mentorship: Linux Kernel
- 806 Linux Foundation IT Professional Programs
- 361 Cloud Engineer IT Professional Program
- 182 Advanced Cloud Engineer IT Professional Program
- 82 DevOps Engineer IT Professional Program
- 150 Cloud Native Developer IT Professional Program
- 138 Express Training Courses & Microlearning
- 138 Express Courses - Discussion Forum
- Microlearning - Discussion Forum
- 6.3K Training Courses
- 48 LFC110 Class Forum - Discontinued
- 71 LFC131 Class Forum
- 44 LFD102 Class Forum
- 228 LFD103 Class Forum
- 19 LFD110 Class Forum
- 41 LFD121 Class Forum
- 18 LFD133 Class Forum
- 8 LFD134 Class Forum
- 18 LFD137 Class Forum
- 71 LFD201 Class Forum
- 5 LFD210 Class Forum
- 5 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 2 LFD233 Class Forum
- 4 LFD237 Class Forum
- 24 LFD254 Class Forum
- 700 LFD259 Class Forum
- 111 LFD272 Class Forum - Discontinued
- 4 LFD272-JP クラス フォーラム
- 12 LFD273 Class Forum
- 172 LFS101 Class Forum
- 1 LFS111 Class Forum
- 3 LFS112 Class Forum
- 3 LFS116 Class Forum
- 7 LFS118 Class Forum
- LFS120 Class Forum
- 9 LFS142 Class Forum
- 8 LFS144 Class Forum
- 4 LFS145 Class Forum
- 3 LFS146 Class Forum
- 2 LFS148 Class Forum
- 14 LFS151 Class Forum
- 4 LFS157 Class Forum
- 42 LFS158 Class Forum
- LFS158-JP クラス フォーラム
- 10 LFS162 Class Forum
- 2 LFS166 Class Forum
- 4 LFS167 Class Forum
- 3 LFS170 Class Forum
- 2 LFS171 Class Forum
- 3 LFS178 Class Forum
- 3 LFS180 Class Forum
- 2 LFS182 Class Forum
- 5 LFS183 Class Forum
- 32 LFS200 Class Forum
- 737 LFS201 Class Forum - Discontinued
- 3 LFS201-JP クラス フォーラム - Discontinued
- 19 LFS203 Class Forum
- 135 LFS207 Class Forum
- 2 LFS207-DE-Klassenforum
- 1 LFS207-JP クラス フォーラム
- 302 LFS211 Class Forum
- 56 LFS216 Class Forum
- 52 LFS241 Class Forum
- 48 LFS242 Class Forum
- 38 LFS243 Class Forum
- 15 LFS244 Class Forum
- 4 LFS245 Class Forum
- LFS246 Class Forum
- LFS248 Class Forum
- 52 LFS250 Class Forum
- 2 LFS250-JP クラス フォーラム
- 1 LFS251 Class Forum
- 156 LFS253 Class Forum
- 1 LFS254 Class Forum
- 1 LFS255 Class Forum
- 9 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 128 LFS260 Class Forum
- 160 LFS261 Class Forum
- 43 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 24 LFS267 Class Forum
- 25 LFS268 Class Forum
- 31 LFS269 Class Forum
- 5 LFS270 Class Forum
- 202 LFS272 Class Forum - Discontinued
- 2 LFS272-JP クラス フォーラム
- 4 LFS147 Class Forum
- 1 LFS274 Class Forum
- 4 LFS281 Class Forum
- 10 LFW111 Class Forum
- 262 LFW211 Class Forum
- 183 LFW212 Class Forum
- 15 SKF100 Class Forum
- 1 SKF200 Class Forum
- 1 SKF201 Class Forum
- 797 Hardware
- 199 Drivers
- 68 I/O Devices
- 37 Monitors
- 104 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 85 Storage
- 759 Linux Distributions
- 82 Debian
- 67 Fedora
- 17 Linux Mint
- 13 Mageia
- 23 openSUSE
- 148 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 354 Ubuntu
- 469 Linux System Administration
- 39 Cloud Computing
- 71 Command Line/Scripting
- Github systems admin projects
- 94 Linux Security
- 78 Network Management
- 102 System Management
- 47 Web Management
- 64 Mobile Computing
- 18 Android
- 34 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 373 Off Topic
- 115 Introductions
- 174 Small Talk
- 23 Study Material
- 806 Programming and Development
- 304 Kernel Development
- 484 Software Development
- 1.8K Software
- 263 Applications
- 183 Command Line
- 3 Compiling/Installing
- 987 Games
- 317 Installation
- 98 All In Program
- 98 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)