[ubuntu] Move encrypted /boot to SD card

[Tubes6al4v]

My problem is that I am running a Laptop at the moment, so cutting the power will just switch it to battery mode. My Power button is defaulted to 8 sec before forced shutdown.

[chunkymonkey]

Hi,

From what I understand, you've already got a Hardy setup with full encryption.

You just want to use an encrypted SD card, so that you need the card in the slot and want it to prompt you for a password as well?

I've managed to get my laptop to require an SD card for a keyfile. While messing around with getting this to work, I managed to come up with a script that will only boot *IF* you have the SD card in the slot.

From what I understand (I'm brand new to this...) if you've already got an encrypted HDD setup, you should be able to follow the steps in a howto to make an encrypted SD card and then just change parts of the bootscript so that it looks for an encrypted SD card.

In other words. No need to reformat your entire system.
1) Just create an encrypted SD card.
2) Generate a keyfile.
3) Set the system to accept the keyfile.
4) Change the bootscript to look for the keyfile on the SD card on boot.

[Tubes6al4v]

Thank you Chunky for reviving my interest (though it barely decreased in one day) in setting this up. Actually, reading through your guide was what had initially piqued my intest (the guide can be found here ).

I must admit, however, that reading through that guide surely made me feel like much more of a novice than you. If you could help guide me through this process, it would be greatly appreciated. It seems as though this may be something interesting for more than just us two.

I added the modules as indicated. Next I ran:

Code:

fdisk -l

Which gave me the output below. It appears that our SD drives are in the same location ( /dev/mmcblk0p1 ):

Code:

Disk /dev/mmcblk0: 1015 MB, 1015808000 bytes
32 heads, 63 sectors/track, 984 cylinders
Units = cylinders of 2016 * 512 = 1032192 bytes
Disk identifier: 0x00000000

        Device Boot      Start         End      Blocks   Id  System
/dev/mmcblk0p1               1         984      991747+   6  FAT16

I read through http://wejn.org/how-to-make-password...ryptsetup.html to get some idea of how it works. But I stopped short of actually working with it since I am unsure of how it will play into this application.

[chunkymonkey]

Sorry for the tardy reply Tubes... Real life got in the way.

I really am very new to linux in general, but I hope between the two of us we can get this to work.

First there's one important thing that I want to check.

1) Your HDD is already encrypted with LUKS (which is what I'm assuming because you've mentioned that you don't want to start from scratch again.)

***IMPORTANT*** I haven't actually tested this on my system yet, but from what I understand this should be what you need to get it to work on yours.


If it is, we can then start this (I've taken bits from both http://mazeoflies.com/articles/2008/...h-external-key and http://wejn.org/how-to-make-password...ryptsetup.html)

So we're going to prepare an encrypted SD Card to hold the keyfile for the HDD.

We're not going to do this from the Live CD, but from the booted system.

So since you know which device you're going to use /dev/mmcblk0p1

we can go straight to filling the SD card with random bits

Code:

dd if=/dev/urandom of=/dev/mmcblk0p1

(It's not really required to do this, but it will make things harder for someone who gets a hold of the card to crack it if we do this. If you want to make it even better, use /dev/random instead of /dev/urandom but it'll take a much longer time to fill the card)

Next we format the SD card with

Code:

cryptsetup luksFormat --hash=sha512 --cipher=aes-cbc-essiv:sha256 --key-size=256 /dev/mmcblk0p1

This will ask you to provide a password for your SD Card.

Now we mount the SD Card

Code:

cryptsetup luksOpen /dev/mmcblk0p1 cryptkeys

And format as ext2.

Code:

mkfs.ext2 /dev/mapper/cryptkeys

Now since you HDD is already setup, we skip to the second howto and add the newly generated keyfile to the keys for your HDD.

From http://wejn.org/how-to-make-password...ryptsetup.html

Quote:

Part One - adding password file to LUKS First you have to determine which partition is encrypted -- you can do that by inspecting contents of /etc/crypttab: # cat /etc/crypttab sda5_crypt /dev/sda5 none luks So, we have sda5 encrypted. Good to know. Now, we need to generate key file which we'll name root.key (for instance): # head -c 2880 /dev/urandom | uuencode -m - | head -n 65 | tail -n 64 > root.key If the command sequence fails for any reason, you don't have sharutils installed. Fix that via: # apt-get install sharutils and retry the previous password file generation one-liner. You should end up with something like this: # wc -l root.key 64 root.key # head -n 3 root.key 9iDTzZlOy6P44YnoW7etVwVK7Xjj6SCvRNUkpTUPy1KjvQ3IsF 8Q4hQ+Yda6 5XkXGJC8ylvAqc1ZvLMLEhIb2L73O90WCZhoj3GUkvTeohHDWL guBl23k1AX wfVtPDZre3gpPuHhZNb3vOFzwjihfR2yMxykp6uuXjFlWLK4JN c4TLgRSWIq Now we need to add the key file to that partition key pool: # cryptsetup luksAddKey /dev/sda5 root.key You will be asked for password, which is the boot-up password you've been using so far. Cool. Now we have the password file registered as a valid key, so we just copy it over to USB stick and go about changing initramfs-tools setup. Part Two - setting up (known) safe boot option We should make backup of existing initrd before attempting to tinker with the boot setup. Here's how: Go to "/boot" and copy existing initrd image with -safe extension, to have known good copy. In my case it looks like this: # cd /boot/ # ls -1 init* initrd.img-2.6.18-5-amd64 initrd.img-2.6.18-5-amd64.bak # cp initrd.img-2.6.18-5-amd64 initrd.img-2.6.18-5-amd64-safe Now we need to add the safe option to Grub (or your favorite boot manager). Open /boot/grub/menu.lst, locate the kernel you're booting into, copy that block under the "END DEBIAN AUTOMAGIC KERNELS LIST" line. Change "initrd" definition by adding "-safe" at the end and change "title" to indicate it's your safe option. In my case the end of /boot/grub/menu.lst now looks like this: # tail -n 7 /boot/grub/menu.lst ### END DEBIAN AUTOMAGIC KERNELS LIST title Debian GNU/Linux, kernel 2.6.18-5-amd64 (safe version) root (hd0,0) kernel /vmlinuz-2.6.18-5-amd64 root=/dev/mapper/vg-root ro initrd /initrd.img-2.6.18-5-amd64-safe savedefault and I've created that from boot option that looked like this: title Debian GNU/Linux, kernel 2.6.18-5-amd64 root (hd0,0) kernel /vmlinuz-2.6.18-5-amd64 root=/dev/mapper/vg-root ro initrd /initrd.img-2.6.18-5-amd64 savedefault Part Three - making our boot process run passwordless So, now we need to make few adjustments to make it all work. First we need to add couple of modules to be loaded to the ramdisk: # echo -e "vfat\nfat\nnls_cp437\nnls_iso8859_1" >> /etc/initramfs-tools/modules because I assume you have your USB keychain with FAT filesystem and therefore you need vfat, fat, nls_cp437, and nls_iso8859_1 modules to mount it.

Here we diverge from the second Howto...

But because we're using an SD card we also have to add

Code:

mmc_core 
ricoh_mmc 
mmc_block 
sdhci

to the end of /etc/initramfs-tools/modules

(since we formatted the SD card as ext2 we probably don't need all the FAT filesystem modules, but just the SD card ones... but it won't hurt keeping them in anyway)

back to the howto

Quote:

Next we need to change /etc/crypttab to accept our custom "keyscript" with proper key file. Mine looks like this, after the modification: # cat /etc/crypttab sda5_crypt /dev/sda5 root.key luks,keyscript=/usr/local/sbin/crypto-usb-key.sh So I've changed the "key" option from "none" to "root.key" (which is the name of our pwfile) and added "keyscript" option which says to the init scripts to run that script in order to get password. So far so good. Now we need the keyscript ... add this:

This is where we make another change from the howto

We need to use a keyscript that mounts the encrypted SD card and then loads the required file from it.

I'm going to modify my SD card keyscript to make it work.

Code:

#!/bin/sh

# Part of passwordless cryptofs setup in Debian Etch.
# See: http://wejn.org/how-to-make-passwordless-cryptsetup.html
# Author: Wejn <wejn at box dot cz>
#
# Updated by Rodolfo Garcia (kix) <kix at kix dot com>
# For multiple partitions
# http://www.kix.es/
#
# Updated by Cromwel Flores <cromwel dot flores at gmail dot com>
# For Encrypted MMC/SD card using code from http://mazeoflies.com/files/keyscript
# 

# Disk partition type (ext2 or vfat)
PARTTYPE=ext2
# Key file in the disk
KEYFILE=root.key

# # # # # CODE # # # # #
MD=/tmp-mount

if [ "x$1" = "x" -o "x$1" = "xnone" ]; then
	KEYF=$KEYFILE
else
	KEYF=$1
fi

USBLOAD=0
FSLOAD=0
MMCLOAD=0
cat /proc/modules | busybox grep usb_storage >/dev/null 2>&1
USBLOAD=$?
cat /proc/modules | busybox grep $PARTTYPE >/dev/null 2>&1
FSLOAD=$?
cat /proc/modules | busybox grep mmc >/dev/null 2>&1
MMCLOAD=$?

#Check if all the required modules have been already loaded
if [ $USBLOAD -gt 0 ] || [ $FSLOAD -gt 0 ] || [ $MMCLOAD -gt 0 ]; then
	modprobe usb_storage 
	modprobe mmc_core 
	modprobe ricoh_mmc 
	modprobe mmc_block 
	modprobe sdhci 
	modprobe $PARTTYPE 
fi

OPENED=0

ls -d /sys/block/sd* >/dev/null 2>&1
SDS=$?

if [ $SDS -eq 0 ]; then
	echo "Trying to get the keyfile from physical keychain ..." >&2
	mkdir -p $MD

	#*** [Modified from http://mazeoflies.com/files/keyscript] ***
	# open the SD card, with 3 retries on the password
	count=0
	openstat=0
	while [ $count -lt 3 ]; do
	    count=$(( $count + 1 ))
	    if [ ! -e /dev/mapper/bootkey ]; then
	        echo -n "Enter Passphrase ==> " > /dev/console
	        cryptsetup luksOpen /dev/mmcblk0p1 bootkey > /dev/null 2>&1
	        openstat=$?
	    else
	        break
	    fi
	done

	# check for failure
	if [ $openstat -ne 0 ]; then
		echo "Failed to open device" > /dev/console
		exit 1
	#*** [/Modified from http://mazeoflies.com/files/keyscript] *** 
	else
		# Try getting file from SD Card
		echo "> Looking for keyfile in SD Card ..." >&2
		mount /dev/mapper/bootkey $MD -t $PARTTYPE -o ro 2>/dev/null
	
		if [ -f $MD/$KEYF ]; then
			cat $MD/$KEYF
			umount $MD 2>/dev/null
			OPENED=1
		else
			echo "> Could not find keyfile in SD Card ..." >&2
		fi
	fi
	umount $MD 2>/dev/null
	rmdir $MD 2>/dev/null
fi

I knocked up the keyscript without testing it, so it might need some ironing out. Note: Do not delete your HDD password until you're sure that this script is bulletproof... cause otherwise you are SOL.

Now we return to the howto

Quote:

as /usr/local/sbin/crypto-usb-key.sh and chmod it a+x ... Finishing line! All you need to do now is to update your initrd: Code: update-initramfs -u all and you're ready to reboot!

Try rebooting.
The way things are setup right now, you should be prompted for the password for your SD Card. You have 3 tries to get it right.
If you mess up or it can't find the keyfile on the SD Card your machine won't allow you to decrypt your HDD.

You'll have to restart and press esc when grub comes up and choose the safe boot option that will prompt you for your HDD password instead of trying to get the key from the SD card.

Once you're sure that everything is working, then you can go ahead and delete the HDD password using cryptsetup luksDelKey
(remember that if you do this and lose your SD card, you are so outta luck...)

I'm not gonna have stable net access for a week or so after Friday, but drop me a pm and let me know how things work out for you.

Good luck.

[kevdog]

To to be rude, but I about cra**ed my pants when I saw the Chucky had posted a rather detailed, informative, instructional reply. Holy cow -- is the sky falling?

[Tubes6al4v]

I certainly did not expect you to do this! Thank you very much for the write-up. I had been chasing this down (staring at your script for way too long, trying to figure it out), and ran into the same problem I get here:

When I enter:

Code:

cryptsetup luksFormat --hash=sha512 --cipher=aes-cbc-essiv:sha256 --key-size=256 /dev/mmcblk0p1

I got:

Code:

cryptsetup luksFormat --hash=sha512 --cipher=aes-cbc-essiv:sha256 --key-size=256 /dev/mmcblk0p1

I did fdisk -l and found that my MMC card has 16 sectors. Looking into some documentation, I could not find any direct correlation between the sector size and the cypher used.

Using cat /proc/crypto lists sha256 as supported.


I just thought I would update you as far as I have gotten with this. I'll update more as I go along.


UPDATE:

Using:

Code:

cryptsetup -c aes-cbc-essiv:md5 -y -s 8 luksFormat /dev/

leaves me with the same message, but saying that my card meeds to have 16 sectors (which fdisk confirmed I have). Bummer. I'll try a work around with Truecrypt.

[chunkymonkey]

Quote:

Originally Posted by kevdog To to be rude, but I about cra**ed my pants when I saw the Chucky had posted a rather detailed, informative, instructional reply. Holy cow -- is the sky falling?

Huh? Do you mean that my other posts weren't informative? Or am I being mixed up with someone else?

@Tubes6al4v
You're welcome. =D

Although, all I really did was just cut and paste selected bits from two other walkthrough to try and get this thing to work.

I don't actually know much about how cryptsetup works... we're both gonna be stuck poring over the documentation for it. (but I have a feeling that you didn't correctly copy the error message in your post?)

All that line is supposed to do is to make your SD card encrypted... So you should be able to do that with TrueCrypt but I'm not familiar with TrueCrypt so I don't know if the mishmash of a keyscript I put together will work properly with it or not.

Good luck and keep us posted.

[chunkymonkey]

Actually, while I'm thinking about it what happens if you try this?
(I'm at work atm, so I can't test this out.)

Code:

 cryptsetup luksFormat /dev/mmcblk0p1

And then let it prompt you for all the options?

Also I'm not sure if the card is supposed to be unmounted before you do this.

[Tubes6al4v]

Final Reply Before bed:

I dropped the "p1" off of /dev/mmcblk0p1"

And that got me through to the end.

When I attempt to "sudo update-initramfs -u all" I get this response:

Code:

update-initramfs: Generating /boot/initrd.img-2.6.24-18-generic
cryptsetup: WARNING: target sda5_crypt has an invalid keyscript, skipped
cryptsetup: WARNING: target sda5_crypt has an invalid keyscript, skipped

I have tried to play with different angles. Anyway, I'll pick this up tomorrow evening. Thanks!

[chunkymonkey]

=D Awesome.

Umm... Did you set the permissions correctly for the keyscript?
(again from memory)

Code:

 sudo chmod a+x /usr/local/sbin/crypto-usb-key.sh