Encrypted File system issues

daviddbb · 08-15-2012, 06:00 AM

Hello ,
I recently installed Centos 6.2 , during the installation I used the installer Disk Manager to create '/' as encrypted file system.
Now by default , every time the system reboots I have to insert the password for opening the encrypted file system.
The problem is after I created a pass file for automatic opening of the encrypted file system , Its still askes for the password.

================

Code:

cryptsetup luksDump /dev/sda3
LUKS header information for /dev/sda3

Version:       	1
Cipher name:   	aes
Cipher mode:   	xts-plain64
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	512
MK digest:     	71 e7 f2 6a 3f ab 60 35 33 99 fe 9c 6c cc 23 af 07 15 83 87 
MK salt:       	c4 a2 d4 57 53 6a 8e b3 fd 97 a7 5d f7 aa a8 9c 
               	d6 b7 8d 06 71 7a b7 a1 e0 ff 9d de 58 41 12 13 
MK iterations: 	48125
UUID:          	f2f4364c-f74f-4f18-92ce-0a3c84c406e7

Key Slot 0: ENABLED
	Iterations:         	187612
	Salt:               	33 60 ff 8a 2d f1 fd 61 b3 36 32 8a 23 31 bb 6b 
	                      	14 a2 28 4d 4a 9c fb f3 93 03 b8 d1 b8 a2 1e 13 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: ENABLED
	Iterations:         	190629
	Salt:               	69 1f 60 54 96 e9 f3 a2 ec 9b 94 00 9e fd c0 0c 
	                      	43 0e 3b 86 91 0f a1 bc 00 c7 d8 74 ad 08 55 23 
	Key material offset:	512
	AF stripes:            	4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
================

Code:

[root@crypted ~]# cryptsetup isLuks /dev/sda3
[root@crypted ~]# mount
/dev/mapper/luks-f2f4364c-f74f-4f18-92ce-0a3c84c406e7 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda1 on /boot type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw
================

This is the crypttab:

Code:

================
luks-f2f4364c-f74f-4f18-92ce-0a3c84c406e7 UUID=f2f4364c-f74f-4f18-92ce-0a3c84c406e7 /root/passfile 
================

both of the key slots are key-files , but after the boot seems like the system ignores it and all-ways asking for a password entry
I wonder if I missed something

this is grub.conf

Code:

================
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-279.5.1.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-279.5.1.el6.x86_64 ro root=/dev/mapper/luks-f2f4364c-f74f-4f18-92ce-0a3c84c406e7 rd_LUKS_UUID=luks-f2f4364c-f74f-4f18-92ce-0a3c84c406e7 rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
        initrd /initramfs-2.6.32-279.5.1.el6.x86_64.img
================

Please advice me

shm0 · 08-16-2012, 06:44 AM

According to this document, if you are encrypting the root partition, you should leave at least 1 other partition un-encrypted. That would be the /boot partition which includes the grub.conf file. Check the section with the title: Encrypted root filesystem.

daviddbb · 08-16-2012, 07:12 AM

I know that , but /boot is not encrypted

Quote:

/dev/sda1 194M 66M 118M 36% /boot

Quote:

[root@crypted ~]# cryptsetup isLuks /dev/sda1
Device /dev/sda1 is not a valid LUKS device.

Quantumstate · 08-16-2012, 04:14 PM

Well if you have the encrypted part in fstab set to auto mount, and it asks for the password on boot, then it shouldn't ask again.

shm0 · 08-16-2012, 04:28 PM

daviddbb: You kept the passfile under /root. By the time you boot your server the whole / partition is encrypted, including the passfile. You should keep it under /boot instead.

NyteOwl · 08-18-2012, 01:46 PM

As indicated, if cryptab is on / rather than boot it isn't available until after / is decrypted.

Keeping the key-file in the unecrypted /boot partition on the same system basically makes the encryption pointless as anyone can then access the encrypted partitions. A better way it to store the key-file on a USB keydrive or CD/DVD that is accessible to be read by the system at boot time and can be removed and kept separate otherwise.