[SOLVED] Encrypted data drives on a headless server

taylorkh · 08-24-2016, 08:15 AM

Firstly can someone point me to a HIGH LEVEL somewhat CONCEPTUAL tutorial on cryptsetup? I know a lot of the nuts and bolts but, as my second question will show, I need some guidance on WHAT to do. The HOW I can probably figure out.

Here is the situation...

I am putting together a server for data archiving. I have a bare bones Dell T130 server (on the way). I will be running CentOS 7 from a USB flash drive (already do this on my T20 works great) and will initially install 2 - 6 TB drives and 2 - 4 TB drives. Data will be mirrored between the 6 TB drives and between the 4 TB drives. I am already doing this on the T20 server with 4 TB drives.

For the new server I wish to encrypt the drives mainly so that if I ever need to return one under warranty I do not have to spend a day or more wiping the drive before releasing it or facing the situation of scrapping the drive if I cannot wipe it. That said, this is also a learning exercise....

Putting together pieces of scripts I have used for managing encrypted partitions under other situations I could do something like this.

1 - Boot the server
2 - Connect with ssh
3 - Run a script something like

Code:

#!/bin/bash

echo Enter passphrase
read -s pass

echo $pass | cryptsetup luksOpen /dev/sda1 sda1
mount /dev/mapper/sda1 /data/secret1

echo $pass | cryptsetup luksOpen /dev/sda2 sda2
mount /dev/mapper/sda2 /data/secret2

echo $pass | cryptsetup luksOpen /dev/sda3 sda3
mount /dev/mapper/sda3 /data/secret3

echo $pass | cryptsetup luksOpen /dev/sda4 sda4
mount /dev/mapper/sda4 /data/secret4

exit

which assumes that all 4 drives have the same passphrase. Not very elegant but typical of my pick and shovel scripting style

I guess what I would like to do would be to provide an decryption key which would automagically unlock and mount the drives on boot. The key file would be stored on a flash drive which could be removed after boot and physically protected thus rendering the server secure if stolen or picked up by a black helicopter or some such catastrophe

I do not know where to start on such an approach as I do not even know if such a thing is possible. Any pointers?

TIA,

Ken

p.s. The key advantage of the second approach would be the elimination of the need to enter a passphrase. Security would be provided my physical control of the flash drive containing the key file.

exvor · 08-24-2016, 02:39 PM

This looks like what your trying to do with a keyfile. You can put the file on just about anything including a USB drive and make it act like a key.

https://www.howtoforge.com/automatic...with-a-keyfile

taylorkh · 08-24-2016, 02:58 PM

Thanks exvor,

The example you point to looks like it might do the trick. I am currently writing zeros to one of the old 4 TB drives in my current server as part of the formatting process. Probably overkill - that is a LOT of zeros. Once the formatting is complete I will give your approach a try. If I use a separate flash drive for the key it will have to be mounted before the unlocking process takes place. A little testing will tell. On the other hand it looks like I can ALSO have a strong passphrase on each hard drive in the event that the key file is lost. I will post back with my results.

Thanks again,

Ken

taylorkh · 08-24-2016, 03:19 PM

On third thought I believe I will follow the example more closely and put the key on the OS flash drive. It is still removable and it eliminates the concern about when the second flash drive mounts and where.

Ken

taylorkh · 08-25-2016, 02:50 PM

I followed the instructions in the link provided. I have encrypted one drive on my old server and spent overnight copying 3 1/2 TB of data back to it. It is automagically unlocked using a key file stored on the flash drive and then mounted at boot time. It works great! I will eventually do the other 3 drives.

I am also exploring other options - at least for experimental purposes at the moment...

I BELIEVE that the pass phrase can be deleted from the partition which would make it ONLY accessible if one had the key file in hand. Not sure I would want to do this with my "production" data.

I might use the same key file on my old and new server (due tomorrow along with 2 - 6 TB drives - Hooray!). That way if one server died or a drive died I could mix and match drives and servers without having to change key files.

I might use the keyfile "manually" that is from a script. I could then mount the data drives using a script and the key file on a flash drive which is ONLY inserted into the server to unlock the drives - then placed back in the "safe".

Looks like I will be having a LOT of fun.

Ken

p.s. I should probably get a backup server to backup my backup servers for when I manage to encrypt myself into a corner

syg00 · 08-25-2016, 07:07 PM

No "probably" about it.