Passwordless encryption of the Linux root partition on Debian 8 with an USB key

Security of critical data on the storage device (hard disk, portable memory stick)  is necessary so that an intruder can not steal sensitive information. In this tutorial, our focus is the security of Linux root filesystem and swap area.  The default Linux encryption feature "LUKS"  will be used, which requires a passphrase at boot time. Therefore, our next goal is to automatically provide the passphrase to an encrypted volume at boot time. There are already a few articles on the same topic for older releases of the Debian distribution available. However, in this tutorial the Debain 8 (Jessie) version is installed on a VirtualBox VM.

Debian OS Installation 

In this tutorial, Debian Jessie is installed on a VM and details are shown in the following figure. The same procedure will work on a "real" server or Desktop as well.

Add the Debian net installer iso file in the VM and start the vm, the installer prompt will appear. Select the "Install" option to start the installation process.

Select Install option in Debian installer.

The following few screens will prompt for the basic settings of Debian. Select the desired language option from the given list.

Select the language

Select country or area as shown in the following figure.

Select your country

Configure the language for the keyboard.

Configure keyboard language.

After the basic settings, the installer loads more components for configuration.

Loading compnents

Again, more base settings will be configured during the installation process.

1. Setting hostname

Set the hostname

2. Configuring Domain name

Configure the domain name

3. Setting a password for "root" user.

Set the root password

Retype the root password

4. Creating a new user other than root.

Create non root user

Enter the username

Enter the password

Re-type the password.

5. set the Time zone

Set the time zone

6. And finally, the most important part is the partitioning of the disk.

Select manual disk partitioning

Manual partitioning of the hard disk  is required for this article. Therefore, select the "Manual" option in the above prompt and select the desired hard disk to start the process.

Select the harddisk

As shown in the above figure, Debian will be installed in the VM.  Press enter to start partitioning of selected hard disk which is shown below.

Start partitioning

The following screen will show up after acceptance of above message. As shown in the following screenshot, currently there is no partition on the hard disk.

No partition available yet

Press "enter" to create the first partition on the virtual hard disk.

Create partition

The first partition that we created on the hard disk is "/dev/sda1" for the "/boot" mount point.

Partition for /boot mount point

Primary or Logical type is selected for partition.

Add new primary partition

Location of the new partition is selected.

Select a location for the partition

Mount point "/boot" is shown in the following screenshot.

/boot mount point has been created

The first partition has been successfully created on the hard disk. The Linux kernel is later placed in the "/boot" partition.

Boot partition created

The second  partition created on the VM hard disk is swap and the size of the swap partition should be double of the RAM size. As shown in the following screenshot, the remaining free space is selected for swap.

Select space for swp partition

Set the size of the swap partition.

Set swap size

Following screenshot shows that the partition is selected as swap area.

select swap partition

Another partition is also created on the VM.

Create another partition

The core partition of the Linux platform is created on the remaining space for / (the "root" mount point).  The following snapshot shows the size of "root" partition.

Add root partition

Select "physical volume of encryption" option for the new  partition on hard disk.

Select encryption tape for root partition

The highlighted option in the following screenshot is required to encrypt the partition on Linux platform.

select encryption option

The partition setup after selecting "physical volume for encryption" is shown in the following figure. Default encryption method is device-mapper (dm-crypt), the encryption algorithm is AES with 256 key size.

Use dm-crypt

The successful creation of the partition on the virtual hard disk  is shown in below figure.

Partition successfully created

Here comes the advanced configuration of encrypted volumes on Debian which is selected in the following screenshot.

Advanced encryption configuration

The following prompt shows that the current partitioning scheme needs to write on hard disk before we can start with the configuration of the encrypted volume.

save partition setup first

The following prompt shows the creation of the encrypted volume on the Debian platform.

Create encrypted volume

Select the devices for the encrypted volume. Don't select the boot device "/dev/sda1" for the encrypted volume because it is not allowed to encrypt the boot partition.

As shown in the following screenshot, only "/dev/sda3" is selected for the encrypted volume and this is the root partition of the disk.

Select device that shall be encrypted

After the configuration of the encrypted volume , select finish to apply changes.

Apply changes

However, following error will prompt if swap partition is not selected for encrypted volume.

Encrypted volume error.

Therefore, we select both partitions for the encrypted volume.

add swap to encrypted volume

Partition settings for swap encrypted volume are shown below.

The result of our selection

The following prompt shows that data will be erased on "sda2" (swap).

Confirm that data gets erased from /dev/sda2

Erasing data on "sda2" & "sda3"  is shown below.

Erasing data from sda2

Erasing data from sda3

After the process finished, enter a passphrases for both encrypted partitions.

Enter passphrase for the partition

Re-entering same passphrase.

Re-enter the password

The partition table after successful configuration of the encrypted volumes on the disk is shown below.

Resulting partition table

Finish the partitioning process to start the installation of the Debian OS. However, the following error prompt will appear because mount point "/" is not selected yet for any partition.

Set the root file system

After the above error prompt, reconfigure the encrypted volumes to set the mount point. In this article, "sda3_crypt" is the root file system and "sda2_crypt" is the swap area.

set root file system

Selecting mount point "/" for encrypted volume.

Select / as mount point

Selecting "sda2_crypt" encrypted volume as a swap area.

Select swap area.

The following screenshot shows the final partition table for encrypted volumes.

Partition tabel result

Formatting of partitions is shown below.

Formatting partitions

After completion of the formatting process, base system will be installed.

System installation progress

The following screenshot shows the selection of the archive mirror for the Debian packages.

Select Debian mirror

The package manager configuration is shown below.

Installing packages

Only base or core system is installed yet and other packages can be install from the shown list.

Just install the core system

Select desktop environment and other packages from the list.

Select Desktop environment

Installation of selected packages is shown below.

Installing packages

Installation of the Linux boot loader "GRUB" is shown in the following screenshot.

Installing Grub

Device (sda) is selected for boot loader installation.

Select sda for the boot loader

Finally, the installation process is complete.

Installation finished

After reboot, enter passphrase to decrypt the sda3 disk.

Enter passphrase

Enter passphrase to decrypt the sda2 disk which is swap area.

Same for the swap area

Successfully login on the installed system.

Sucessfully logged in

Configuration for passwordless root filesystem

The process of entering the passphrase at boot time will now be automated using an USB memory stick.  Instead of using

a passphrase , the secret key on the USB will decrypt the encrypted volumes. Connect an USB stick to the VM and locate it using the "dmesg" command.  It is detected as "/dev/sdb" in my VM.

Find the USB stick with dmesg

The secret key of 8192 random byte is extracted from the usb stick using the dd command.

dd if=/dev/sdb of=/root/secret.key bs=512 skip=4 count=16

dd command

The above generated secret key is added to the encrypted volumes using the "cryptsetup" command.  By default, the passphrase is kept in the slot 0. Therefore, slot 1 will be used for the second secret key.

Run "blkid" command to get details of volume on the disk.

blkid

using blkid

In this tutorial, the secret key for decryption of the volume is  added in /dev/sda3 only. However, it can be added to "/dev/sda2" (swap) partition as well.

cryptsetup luksAddKey /dev/sda3 /root/secret.key --key-slot 1

add luks key

A simple udev rule is created for the USB device in the file /etc/udev/rules.d/99-custom-usb.rules, the symbolic link that we will use is /dev/usbdevice.

SUBSYSTEMS=="usb", DRIVERS=="usb",SYMLINK+="usbdevice%n"

Add udev rule

Reload rules using the following command.

udevadm control --reload-rules

Reload udev rules

Inseart the USB device to verify the custom rule.

Verify that the udev rule works

A shell script is required to read the secret key from the USB device and provide it to cryptsetup at boot time.  The script is created as "/usr/local/sbin/openluksdevices.sh" and taken from the http://www.oxygenimpaired.com/ site.

#!/bin/sh
############taken from following link#########
###http://www.oxygenimpaired.com/debian-lenny-luks-encrypted-root-hidden-usb-keyfile

TRUE=0
FALSE=1

# flag tracking key-file availability
OPENED=$FALSE

if [ -b /dev/usbdevice ]; then
# if device exists then output the keyfile from the usb key 
dd if=/dev/usbdevice bs=512 skip=4 count=16 | cat
OPENED=$TRUE
fi

if [ $OPENED -ne $TRUE ]; then
echo "FAILED to get USB key file ..." >&2
/lib/cryptsetup/askpass "Try LUKS password: "
else
echo "Success loading key file for Root . Moving on." >&2
fi

sleep 2

Set the permissions of script so that it can be executed.

 chmod a+x /usr/local/sbin/openluksdevices.sh

Add execut permissions

Similar to the fstab configuration file, the crypttab file contains the information about encyrpted volumes on the Linux platfrom. Add a shell script for the sda3_crypt encrypted partition. The content of configuration file "/etc/crypttab" for encrypted volume is given below. 

sda3_crypt /dev/disk/by-uuid/c37a8128-5ea9-45c6-8890-d52f3d452ccc none luks,keyscript=/usr/local/sbin/openluksdevices.sh

content of crypttab

Add the following line in the "/etc/initramfs-tools/conf.d/cryptroot" file. 

CRYPTROOT=target=sda3_crypt,source=/dev/disk/by-uuid/c37a8128-5ea9-45c6-8890-d52f3d452ccc

add line to cryptroot

Make sure the "usb_storage" is added in "/etc/initramfs-tools/modules" file.

ensure that usb_storage module is loaded

The following shell script (/etc/initramfs-tools/hooks/udevusbkey.sh) is also taken from an external source. It is used to add a custom udev rule in the temporary file system "initrd".

#!/bin/sh
# udev-usbkey script
###taken from
###http://www.oxygenimpaired.com/ubuntu-with-grub2-luks-encrypted-lvm-root-hidden-usb-keyfile
PREREQ="udev"
prereqs()
{
echo "$PREREQ"
}

case $1 in
prereqs)
prereqs
exit 0
;;
esac

. /usr/share/initramfs-tools/hook-functions

# Copy across relevant rules

cp /etc/udev/rules.d/99-custom-usb.rules ${DESTDIR}/lib/udev/rules.d/

exit 0

The script

Change the permission of the script.

 chmod a+x /etc/initramfs-tools/hooks/udevusbkey.sh

Make the script executable

Some changes are required in the GRUB2 boot loader configuation. However, direct changes in the configuration file "/boot/grub/grub.cfg"  are not allowed. Therefore, change "GRUB_CMDLINE_LINUX_DEFAULT" parameter in the "/etc/default/grub" configuration file. As shown below, "rootdelay" and "cryptopts"  are included in the "GRUB_CMDLINE_LINUX_DEFAULT" parameter.


GRUB_CMDLINE_LINUX_DEFAULT="rootdelay=20 cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/c37a8128-5ea9-45c6-8890-d52f3d452ccc,keyscript=/lib/cryptsetup/scripts/openluksdevices.sh"
GRUB_CMDLINE_LINUX=""

# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtainsConclusion

grub configuration file

Run the "update-grub" command to apply above changes in the "/boot/grub/grub.cfg" configuration file.

run update-grub

After above command, the following changes got applied in the "/boot/grub/grub.cfg" configuration file.

echo    'Loading Linux 3.16.0-4-686-pae ...'
linux   /vmlinuz-3.16.0-4-686-pae root=UUID=b30cdb22-8e3c-4ffd-a0c7-af96b90ba016 ro  rootdelay=20 cryptopts=target=sda3_crypt,source=/dev/disk/by-uuid/c37a8128-5ea9-45c6-8890-d52f3d452ccc,keyscript=/lib/cryptsetup/scripts/openluksdevices.sh
echo    'Loading initial ramdisk ...'
initrd  /initrd.img-3.16.0-4-686-pae

Run "update-initramfs -u"  to update the temporary file system file for all kernels.

update-initramfs -u

Before reboot, unpack the newley generated "initrd.img" and verify that the keyscript has been copied to the  "lib/cryptsetup/scripts" directory and the custom udev rule into "lib/udev/rules.d/" directory.

cd /tmp/
zcat /boot/initrd.img-3.16.0-4-686-pae | cpio -iv

Check the initrd image

Keyscript is successfully included in the initramfs scripts.

The keyscript is included

Custom USB rule is also included in the udev rules.

The usb rule is included

Add USB device in the VM settings before testing the entire setup.

add usb device to vm

Finally, the secret key is successfuly loaded for encrypted volume.

The secret key gets loaded successfully on boot.

Conclusion

In this article, an encrypted partition is opened using a secret key which is kept in an usb memory device. An automatic shell script is used to provide a secret key for encrypted volume at boot time.

Share this page:

9 Comment(s)