Introduction
The past month a lot of security issues have popped up in my work and personal life most prominent of which was the DAO hack. All these have lead me to think a lot about security and prompted me to learn and utilize new methods I had never used before. All in all I can say that the events of the past few months have made me quite a bit paranoid.
As a result of that I started reading about full system encryption of the root file system and wanted to apply it in a newly installed ArchLinux system. The Archwiki has a very extensive guide on system encryption which can function as a reference to anyone wanting to do the same. One scenario not covered by that guide is how you can encrypt the system with a password protected keyfile located on a USB stick. This is the scenario we are going to cover in this guide.
Encrypting an entire system
We will be using the Device Mapper crypt module in order to encrypt block devices using the Linux Kernel’s crypto API. We assume a very simple setup with 2 partitions. The first partition will be the boot parition and the other is going to be the root partition which we will encrypt.
We will use the Logical Volume Manager (LVM) in order to have a flexible root parition logical volume on top of a LUKS encrypted partition. We will essentially be using the LVM on Luks methodology of the Archwiki but with a big change that will allow us to have a passphrase protected keyfile in a USB stick. I will assume you are attempting to install an ArchLinux machine following the wiki and explain the different/additional steps that need to be taken in order to achieve the encryption.
Preparing the disk
For extra safety you can securely wipe the entire disk using Luks as can be seen here. After that is done and depending on whether you have an UEFI motherboard or not create an UEFI or an MBR boot partition. Also create a root partition. To do so you can use parted. Once you have created the partitions you will need to format them. In the examples below we will assume an UEFI partition and that your drive is /dev/sda
. Adjust the commands depending on your drive name.
Create the 2 partitions.
(parted) mkpart ESP fat32 1MiB 513MiB
(parted) set 1 boot on
(parted) mkpart primary ext4 513MiB 100%
Format them accordingly. Here we are creating an UEFI boot partition and an ext4 root partition.
mkfs.fat -F32 /dev/sda1 mkfs.ext4 /dev/sda2
Now we can use cryptsetup in order to create the encrypted container on top of the root partition. You can choose a lot of different options for the encryption like the hash algorithm used for key derivation, or the number of iterations to be used for passphrase processing.
cryptsetup luksFormat /dev/sda2
After that you will have to open the container.
cryptsetup open --type luks /dev/sda2 lvm
The decrypted container is now available at /dev/mapper/lvm
.
Preparing the logical volumes
Now we are going to create a physical volume on top of the opened LUKS container.
pvcreate /dev/mapper/lvm
Subsequently create a volume group and create the root logical volume for it. You should change VolName
with the name you would like your volume group to have.
vgcreate VolName /dev/mapper/lvm lvcreate -l 100%FREE VolName -n root
Finally you should format the logical volume and mount it.
mkfs.ext4 /dev/mapper/VolName-root mount /dev/mapper/VolName-root /mnt
Preparing and configuring the boot partition
For our example we have an UEFI boot partition on /dev/sda1
. You can always adjust this guide to any other type of boot partition your system may have. Mount the boot partition and continue with the installation procedure up to the point where you deal with initramfs.
mkdir -p /mnt/boot mount /dev/sda1 /mnt/boot
The bootloader loads the kernel and the initramfs scripts from the boot partition. The new iteration of initramfs is called mkinitcpio and is essentially a very small early userspace environment which loads various kernel modules and sets up all necessary things before handing control over to init.
We can use the already existing encrypt
and lvm2
hooks of mkinitcpio. To enable them edit /etc/mkinitcpio.conf
and add them in the HOOKS line. They should be added before the filesystems
hook. so in essence it should look like this:
HOOKS="... encrypt lvm2 ... filesystems ..."
Run the following in order to create the updated initcpio scripts.
mkinitcpio -p linux
Now you should figure out the UUID of your physical device. You can do so by running:
blkid /dev/sda2 /dev/sda2: UUID="8197c881-160c-465c-a15c-96b59as26157" TYPE="crypto_LUKS" PARTUUID="fe8d1a97-d10b-43c9-a748-972b0af8a09b"
Replace /dev/sda2
with the partition of your root filesystem. Once that is done then you can edit your bootloader to add the following kernel arguments, which will be picked up by the encrypt initcpio module and decrypt your device at boot. If for example you are using systemd-boot
then you should edit /boot/loader/entries/entry.conf
like so:
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=8197c881-160c-465c-a15c-96b59as26157:VolName root=/dev/mapper/VolName-root quiet rw
Remember to change VolName
to the name of the volume group you created.
Finally make sure to properly populate /etc/fstab
so that after decryption the logical root partition is properly mounted at boot:
# /etc/fstab: static file system information # # <file system> <dir> <type> <options> <dump> <pass> # /dev/mapper/VolName-root UUID=8197c881-160c-465c-a15c-96b59as26157 / ext4 rw,relatime,data=ordered 0 1 # /dev/sda1 UUID=0C02-13D4 /boot vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2 /dev/mapper/VolName-root /mnt ext4 defaults,errors=remount-ro 0 2
Once that is done then you can simply reboot and you will be prompted for the passphrase to unlock your encrypted root partition at boot. Congratulations you have now encrypted your root partition!
Using an encrypted USB stick
Having an encrypted partition that decrypts simply by typing a password is nice but if a malicious actor learns of your password then he can without any trouble decrypt your root partition and gain access to your data. A method by which you can make this more difficult is to use a 2-factor authentication by having a USB stick with an encrypted passphrase which will act as a key to decrypt the root partition. As such a malicious actor would need physical access to both your USB stick containing the keyfile and to the password that unlocks it.
Create the keyfile
The simplest way to achieve the 2fa effect is to again use LUKS in order to create an encrypted keyfile inside the USB stick. Let’s assume now that the usb stick is located at /dev/sdc1
and that it uuid is 1193c881-267f-134f-123a-12b34as56357
.
We now have to mount the usb stick, create a random keyfile in it and encrypt it with Luks. You can change OurKey
with whatever name you would like the decrypted Luks volume of the key to have. Also you should replace /dev/sdb2
with the root partition you want to encrypt with that key.
mkdir -p /mnt/stick mount /dev/sdc1/ /mnt/stick dd if=/dev/zero of=/mnt/stick/key.luks count=2057 cryptsetup --align-payload=1 luksFormat /mnt/stick/key.luks cryptsetup luksOpen /mnt/stick/key.luks OurKey dd if=/dev/urandom of=/dev/mapper/OurKey cryptsetup luksAddKey /dev/sdb2 /dev/mapper/OurKey
Create an initcpio hook
We will create an initcpio hook so that the bootloader can prompt us for the passphrase and decrypt the encrypted partition during the boot process. The beauty of initcpio is that it’s all simply shell scripts and as such they are quite easy to understand.
First of all you should decide on a name for your hook. I called mine lefcrypt
but you can use whichever name you want. To create a hook you need to create 2 files under 2 different directories.
Create /usr/lib/initcpio/install/lefcrypt
:
#!/bin/bash build() { # Copied from the encrypt hook install script local mod add_module loop add_module dm-crypt if [[ $CRYPTO_MODULES ]]; then for mod in $CRYPTO_MODULES; do add_module "$mod" done else add_all_modules '/crypto/' fi add_binary "cryptsetup" add_binary "dmsetup" add_file "/usr/lib/udev/rules.d/10-dm.rules" add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" add_runscript } help() { cat <<HELPEOF This is our custom hook for decrypting a keyfile from a USB stick. HELPEOF }
The above essentially prepares the script, states the required modules for the script to run and also provides a help docstring which will appear if you typed mkinitcpio -H lefcrypt
.
Also create /usr/lib/initcpio/hooks/lefcrypt
:
#!/usr/bin/bash run_hook() { modprobe -a -q dm-crypt >/dev/null 2>&1 modprobe loop [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" cat << "EOF" ___.-----.___ .-'. . . . . . .`-. .' ` . . . . . . ' `. .' ` ` . . . . . . ' ' `. .----------------------..--. / `` ` ` ` _.---._ ' ' ' ' \ | , `--||--.\ / ` ` ` `.-'_.---._`-.' ' ' ' \ | ` ,--||--'/ [\ ` ` `.'.-' ..| ..`-.`.' ' '' \ `-----------------------`'--' _[/ ` ``/.' \ .. |.. / `.\' ' ' \ | | / / ` ` // `` \ .| . /' ' \\' ' _ \ | \__.---------.___/|\ - ` // `. ` \.---./'' .' \\ - _ - | | _.--' ` `` ` ` ` ` /-| \ - ` = -`. / ___ \ .'- = ||- = - | || .' `` `` ``` `` `.' -|||::= `---.__/_/ \ \ _.-'||= _ = | \ / ` `` ` ` ` `.---' [] | |:: ||[_] ___ \|-'- = ||- _ - | |(O]================-------| | ||[_] (O__) ||------||- - - | / \ ' '' '' `---. [] | |:: ||[_]____ /|-._ = ||- _ - | || `._ ' '' ' '' ' `. -|||::= ,---' \ \___/ / - `-.||= _ = | | `--.__ ' ' '''' '__\-| / - , = -.' \ / `. = ||- = - | | / `---------' \|/ _ ' \\ .''' /`---'\` `. // - _ - | | | \_\ ' ' \\ ' /. .|.. \`` // ` ` / .--------------------..--. [\'' ' \`.'/ .. | .. \ .'/ ` ` `/ | , `--||--.\ [/' ' ' `.`-._ .|. _.-'.' ` ` `/ | ` ,--||--'/ \ ' ' ' `-._`---'_.-' ` ` ` `/ `--------------------`'--' \' ' ' ' .`---'. ` ` ` / `.'' '' '. . . . `` ` ` .' `.'' '. . . . . . ` `.' `-.___ . . . ___.-' `-----' Provide the captain's command authorization code for the USB stick: EOF #obtain the key mkdir -p /mnt/usbstick resolved=$(resolve_device /dev/disk/by-uuid/1193c881-267f-134f-123a-12b34as56357) mount -t ext4 "$resolved" /mnt/usbstick cryptsetup -T 5 luksOpen /mnt/usbstick/key.luks OurKey #unlock the root partition cryptsetup --key-file /dev/mapper/OurKey luksOpen /dev/disk/by-uuid/8197c881-160c-465c-a15c-96b59as26157 lvm #clean up the key cryptsetup luksClose OurKey }
The above is a really simple script which uses the UUID of the usb stick in order to find the key and prompt the user to decrypt it. I could not resist putting a Star Trek reference at the prompt. Apologies :). You should change the UUIDs with your drive’s actual UUIDs and also OurKey
with the name you provided for your LUKS encrypted key partition.
In order to use this hook you have to include it in the /etc/mkinitcpio.conf
and put it instead of encrypt like so:
HOOKS="... lefcrypt lvm2 ... filesystems ..."
Finally you should create the new initramfs image by issuing mkinitcpio:
mkinitcpio -p linux ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default' -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img ==> Starting build: 4.6.3-1-ARCH -> Running build hook: [base] -> Running build hook: [udev] -> Running build hook: [autodetect] -> Running build hook: [modconf] -> Running build hook: [block] -> Running build hook: [lefcrypt] -> Running build hook: [lvm2] -> Running build hook: [filesystems] -> Running build hook: [keyboard] -> Running build hook: [fsck] ==> Generating module dependencies ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img ==> Image generation successful ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback' -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect ==> Starting build: 4.6.3-1-ARCH -> Running build hook: [base] -> Running build hook: [udev] -> Running build hook: [modconf] -> Running build hook: [block] ==> WARNING: Possibly missing firmware for module: wd719x ==> WARNING: Possibly missing firmware for module: aic94xx -> Running build hook: [lefcrypt] -> Running build hook: [lvm2] -> Running build hook: [filesystems] -> Running build hook: [keyboard] -> Running build hook: [fsck] ==> Generating module dependencies ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img ==> Image generation successful
Now once you reboot you can simply input the USB stick and be prompted for the passphrase. Congratulations you now have 2fa in the encryption of your root partition!
Removing the simple passphrase decryption
If you followed this guide step by step then you will still have the option to decrypt the system using the simple passphrase key you created in the first section. If you have confirmed that the USB stick decryption works perfectly then you can safely remove the simple passphrase key.
First check how many keys are used by the encrypted root partition:
cryptsetup luksDump /dev/sda2 | grep BLED Key Slot 0: ENABLED Key Slot 1: ENABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
You should only see 2. Key slot 0 should be the very first simple passphrase key and Key slot 1 the one we just created on the USB stick. You can generally query a lot of information about the keys as can be seen in the related wiki.
If you have used different passphrases for the USB encrypted stick and for the normal passphrase key then it’s quite easy to remove the key without even specifying the slot.
cryptsetup luksRemoveKey /dev/sda2 Enter LUKS passphrase to be deleted:
If you have used the same password then you have to also specify the slot when removing the key.
cryptsetup luksRemoveKey /dev/sda2 0 Enter any remaining LUKS passphrase:
After this action is complete then the only way to decrypt your root filesystem and gain access to your machine would be by using the key located inside the USB stick.
Conclusion
We have presented a way to use a password protected encrypted key located in a usb stick to decrypt the root filesystem of your computer. This provides us with a lot of security and the ability to perform a 2-factor authentication when booting the system in order to protect our data if the computer ever falls into the hands of a malicious actor.
There are disadvantages to this approach. If a malicious actor ever gains access to both your key and your keyfile it is Game Over. At the same time the boot partition needs to be unencrypted to perform the bootloading process. This can introduce vulnerabilities which an attacker could take advantage of. There are some methods that can be followed in order to secure the unencrypted boot partition, such as having it located on an external drive etc.
The presented method is not perfect, but it provides superior security in comparison to a totally unencrypted system and provides a nice basis from which the curious reader can explore many other methods of disk encryption. I hope you enjoyed this post and please don’t hesitate to leave some comments explaining how you use encryption to protect your data and what kind of improvements you believe can be made in the method presented here.