Hi. I'm jon.404, a Unix/Linux/Database/Openstack/Kubernetes Administrator, AWS/GCP/Azure Engineer, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: *nix.
Fun with OpenBSD softraid crypto disks
I've been playing around with setting up my own Certificate Authority for my local LAN (for things like WPA2 Enterprise, Certificate-based VPN tunnels, etc...) and I figured I'd make this "pilot" as cheap as possible. For testing purposes, I'll set it up on a USB jump drive. Encrypted, of course.
But then I got to thinking...a CA is something I'll use very often at first, but then once all of the certificates are in place, I likely won't touch it for another year. That's a *really* long time to remember a true random password, and it's even a long time to remember an algorithm-generated passphrase. I could use a keydisk, but the thought of storing the keydisk with the data itself is...well, less than optimal.
Well, unless I store the keydisk on a separate USB drive. That's still less than optimal, because the keydisks are so small (1 mb is more than enough to store the key). It is a bit wasteful to use an 8 GB jump drive to store a 1 mb keydisk, afterall.
Perhaps I could put 2 keydisks on a single jump drive, use one to encrypt the other USB drive, and the other keydisk to encrypt the local USB drive...but I'm still back to the key residing in the same place as the crypto disk.
Then it occurred to me that the keydisks can reside on opposite jump drives. Huh...that has a bit of potential, but I wonder if it'd fail during boot? I've seen my fair share of crypto boot fails on quite a few OS's, so this may or may not work. Can't hurt to try, though =)
Once the install was complete, I had 2x RAID disk slices on each USB key. "a" was 1 mb on each, and "d" was the remaining disk. The "a" slices were keydisks for the other USB keys "d" slice. I booted up, and got a funny message about the crypto disks roaming, but OpenBSD was smart enough to adjust and they booted up just fine.
That's part one. Part two is actually putting useful CA data on here. For simplicity, I put everything in /ca on a slice on the larger of the two USB keys (32G), and I put /ca/private on the other USB key. Ahh, so cute. Certs abound.
Two combination safes and I think I'm set...except, I'll need to remember the combinations. I know...I'll put the combinations in a text file and store it in a softraid crypto disk....
"It's turtles all the way down", right?
But then I got to thinking...a CA is something I'll use very often at first, but then once all of the certificates are in place, I likely won't touch it for another year. That's a *really* long time to remember a true random password, and it's even a long time to remember an algorithm-generated passphrase. I could use a keydisk, but the thought of storing the keydisk with the data itself is...well, less than optimal.
Well, unless I store the keydisk on a separate USB drive. That's still less than optimal, because the keydisks are so small (1 mb is more than enough to store the key). It is a bit wasteful to use an 8 GB jump drive to store a 1 mb keydisk, afterall.
Perhaps I could put 2 keydisks on a single jump drive, use one to encrypt the other USB drive, and the other keydisk to encrypt the local USB drive...but I'm still back to the key residing in the same place as the crypto disk.
Then it occurred to me that the keydisks can reside on opposite jump drives. Huh...that has a bit of potential, but I wonder if it'd fail during boot? I've seen my fair share of crypto boot fails on quite a few OS's, so this may or may not work. Can't hurt to try, though =)
Once the install was complete, I had 2x RAID disk slices on each USB key. "a" was 1 mb on each, and "d" was the remaining disk. The "a" slices were keydisks for the other USB keys "d" slice. I booted up, and got a funny message about the crypto disks roaming, but OpenBSD was smart enough to adjust and they booted up just fine.
That's part one. Part two is actually putting useful CA data on here. For simplicity, I put everything in /ca on a slice on the larger of the two USB keys (32G), and I put /ca/private on the other USB key. Ahh, so cute. Certs abound.
Two combination safes and I think I'm set...except, I'll need to remember the combinations. I know...I'll put the combinations in a text file and store it in a softraid crypto disk....
"It's turtles all the way down", right?
Total Comments 1
Comments
-
Actually, I think once I get this running on my air-gapped laptop, I'm going to setup an ssh ca as well. Good times!
Posted 03-09-2015 at 02:25 PM by rocket357