LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 11-01-2011, 09:28 PM   #1
alexjohnson
LQ Newbie
 
Registered: Oct 2011
Posts: 12

Rep: Reputation: Disabled
Question Slackware64 13.37 server with LUKS autmount


I want to setup a Slackware64 13.37 server with RAID1, LVM2, and LUKS with automount. I already know how to setup RAID1/LUKS/LVM on the server, what I would like to be able to have is the LUKS partition (which will contain the LVM volumes) automount in case I have to restart the server remotely.

I'm guessing I will have to a key file that for the automount but I'm not sure how to do it.

I'm trying to achieve what Ubuntu does during setup where it allows you to choose to encrypt the home folder and automount it so it's fully accessible remotely (via SSH for example) after a reboot but only for the entire filesystem (not including /boot which will have to stay unencrypted).

I would also like to make sure (if possible) that if I do use a key file to automount the LUKS partition the file itself won't just reside on the server accessible to anyone with psychical access and a LiveCD.

Thanks.
 
Old 11-02-2011, 04:00 PM   #2
NyteOwl
Member
 
Registered: Aug 2008
Location: Nova Scotia, Canada
Distribution: Slackware, OpenBSD, others periodically
Posts: 512

Rep: Reputation: 138Reputation: 138
As I understand your question, I don't think this is going to be possible.

In order for LUKS to unlock a partition it needs either a passphrase, or a keyfile. These need to be able to be input at boot. If you need to unlock the root partition before you can continue the boot, there is no way to enter a passphrase remotely (since services such as ssh aren't started yet) and unless the keyfile is accessible to the server (on a disk or flash key) it won't be able to unlock that way either. This is why Ubuntu only does the /home directory. (BTW encrypting partitions only to automount them using system stored keys is a waste of time.)

There are two other possibilities.

The first is to use server hardware that has an onboard remote hardware console accessible through the network.

The second is to place the keyfile on a remote system capable of responding to the LUKS request for the keyfile. For proper security this network connection and the system on which the keyfile resides should be secure. Note: I have not tried this with LUKS so I am not certain if it is even a viable option.
 
Old 11-02-2011, 04:37 PM   #3
alexjohnson
LQ Newbie
 
Registered: Oct 2011
Posts: 12

Original Poster
Rep: Reputation: Disabled
Lightbulb

I guess my Google-fu isn't what it used to be, I found several posts about remotely unlocking LUKS partitions.

http://www.debian-administration.org/articles/579
http://www.howtoforge.com/unlock-a-l...-ssh-on-ubuntu
https://wiki.archlinux.org/index.php...r.29_partition

I'll have to try it out and see what happens.

Thank for responding.
 
Old 11-04-2011, 07:53 AM   #4
xj25vm
Member
 
Registered: Jun 2008
Posts: 262

Rep: Reputation: 17
I have been pondering the same question for a good while - as I wanted to secure the data on my server with encryption in case it gets stolen - but, also, to be able to cope with the server restarting automatically. I abviously can't be in front of it to type a passphrase when it restarts. Nor is there any point in leaving something like a usb memory stick plugged in all the time, with the keys on it in case it reboots.

What I ended up doing is the following:

1. Store all confidential/personal data under /srv. For example, Dovecot stores all my imap emails in /srv/dovecot, Samba keeps all the shares under /srv/samba and so on.
2. Keep all this stuff on another partition (/dev/sda3 in my case) which is encrypted (so it is actually /dev/mapper/lukssda3 after LUKS unlocks it).
3. Mount /dev/mapper/lukssda3 under /srv.
4. Change services/software/daemons which store data under /srv to manual start, so they don't start automatically during boot - when there would be no /srv available and mounted.

During boot, the server restarts fine - it just doesn't mount /srv or start things like imap, samba and my Asterisk server. However, everything else starts just fine, including openvpn. All I have to do is login remotely, unlock the encrypted partition with a passphrase, mount it and start the necessary services.

It is not a fully automatic solution, but as the server is on a UPS and power cuts are very rare around here - having to login remotely to start services after a reboot would be a rare event.

On the other hand - if somebody happens to steal the server - they would just get access to the run-off-the-mill part of the system - which doesn't contain any sensitive data. I can jut re-create my OpenVPN CA and new certificates - so even that is not a problem.

If you want to be extra cautious - you can even tell LUKS to encrypt the swap.

At least that's what I came up with. I would actually be glad if somebody could point out any weaknesses in this particular arrangement. It is obviously not designed to protect against somebody trying to gain access from the Internet, or somebody sitting in front of the server and taking their time (although if they reboot it, the partition would be locked). Those are different matters, to be dealt with other tools.

Hope the above helps.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Slackware64 13.1 RC1, removable USB devices and LUKS gargamel Slackware 4 05-16-2010 08:38 AM
[SOLVED] Fresh Slackware64-current RAID-1 + LVM + LUKS: pvcreate not working gargamel Slackware 6 03-23-2010 02:24 PM
slackware64 lvm/luks and mkinitrd for custom kernel chopp Slackware 19 08-25-2009 02:33 PM
Slackware64-current: Creation of LUKS encrypted partition segfaults titopoquito Slackware 16 08-16-2009 04:02 AM
[SOLVED] Slackware64-C client wont detect Slackware64-C Samba server slackass Slackware 5 08-07-2009 11:23 PM


All times are GMT -5. The time now is 02:53 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration