You are here: Foswiki>Sysadmin Web>ListworkWorkingGroup>SaraiCryptedDisk (05 Oct 2006, ChrisC)Edit Attach

Encrypted Loopback Partition on Sarai

Notes on the setting up of an encrypted loopback device on sarai.indymedia.org for storing certs and keys. This was discussed on listwork in October 2006: 1 | 2 | 3

Decrypting and mounting

After the machine has booted, postfix and apache will not work until the encrypted disk has been mounted.

To mount it do this: 

$ ssh sarai.indymedia.org
$ sudo /root/bin/mnt-crypt

The mnt-crypt script contains the following: 

#!/bin/bash

echo "This script mounts the encrypted partition at /etc/crypt"
echo "If you mistype the password then do this before running this again:"
echo "/sbin/cryptsetup remove crypt"

# create the loop device
/sbin/losetup /dev/loop0 /crypt

# decrypt the loopback device
/sbin/cryptsetup create crypt /dev/loop0

# mount the partition
/bin/mount /dev/mapper/crypt /etc/crypt

# start apache
/etc/init.d/apache start

# start postfix
/etc/init.d/postfix start

Setup Notes

Notes on what was done to create the encrypted device and the cert.

Creating the encrypted device

The riseup loopback instructions were followed. 

# cd /
# dd if=/dev/urandom of=/crypt bs=1M count=10
10+0 records in
10+0 records out
10485760 bytes transferred in 2.582209 seconds (4060771 bytes/sec)
# losetup /dev/loop0 /crypt 
# cryptsetup -y create crypt /dev/loop0 
  Enter passphrase: 
  Verify passphrase: 
# dmsetup ls 
  vg01-home       (254, 0)
  vg01-backup     (254, 4)
  vg01-mailman    (254, 3)
  vg01-usr        (254, 2)
  vg01-var        (254, 1)
  crypt   (254, 5)
# mkfs.ext3 /dev/mapper/crypt 
  mke2fs 1.37 (21-Mar-2005)
  Filesystem label=
  OS type: Linux
  Block size=1024 (log=0)
  Fragment size=1024 (log=0)
  2560 inodes, 10240 blocks
  512 blocks (5.00%) reserved for the super user
  First data block=1
  2 block groups
  8192 blocks per group, 8192 fragments per group
  1280 inodes per group
  Superblock backups stored on blocks: 
          8193
  
  Writing inode tables: done                            
  Creating journal (1024 blocks): done
  Writing superblocks and filesystem accounting information: done
  
  This filesystem will be automatically checked every 30 mounts or
  180 days, whichever comes first.  Use tune2fs -c or -i to override.
# mkdir /etc/crypt
# mount /dev/mapper/crypt /etc/crypt
# df -h | grep crypt
  /dev/mapper/crypt     9.7M  1.1M  8.2M  12% /etc/crypt

Generating the key and cert

See: CaCertSsl 

# cd /etc/crypt
# /root/bin/csr.sh
  Private Key and Certificate Signing Request Generator
  This script was designed to suit the request format needed by
  the CAcert Certificate Authority. www.CAcert.org
  
  Short Hostname (ie. imap big_srv www2): sarai
  FQDN/CommonName (ie. www.example.com) : sarai.indymedia.org
  Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
  SubjectAltName: DNS:sarai.indymedia.org
  SubjectAltName: DNS:sarai3.indymedia.org
  SubjectAltName: DNS:lists.indymedia.org
  SubjectAltName: DNS:archives.lists.indymedia.org
  SubjectAltName: DNS:
  Running OpenSSL...
  Generating a 512 bit RSA private key
  writing new private key to 'sarai_privatekey.pem'
  Generating a 2048 bit RSA private key
  writing new private key to 'sarai_privatekey.pem'
  -----
  Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
  When you receive your certificate, you 'should' name it something like sarai_server.pem

The csr was pasted into the interface at http://cacert.org/ and a cert was generated using the Class 1 certificate and it was saved as sarai_server.pem

Postfix configuration

See CaCertSsl#Sarai_TLS_configuration

The following thigs were changed in /etc/postfix/main.cf 

tls_certs = /etc/crypt

smtp_tls_key_file = $tls_certs/sarai_privatekey.pem
smtp_tls_cert_file = $tls_certs/sarai_server.pem
smtp_tls_CAfile = $tls_certs/cacert.crt
smtp_tls_CApath = $tls_certs/cacert.crt

smtpd_tls_cert_file = $tls_certs/sarai_server.pem
smtpd_tls_key_file = $tls_certs/sarai_privatekey.pem
smtpd_tls_CAfile = $tls_certs/cacert.crt

Then postfix was reloaded: 

/etc/init.d/postfix reload

And changed not to run on boot: 

# update-rc.d -f postfix remove
 update-rc.d: /etc/init.d/postfix exists during rc.d purge (continuing)
 Removing any system startup links for /etc/init.d/postfix ...
   /etc/rc0.d/K20postfix
   /etc/rc1.d/K20postfix
   /etc/rc2.d/S20postfix
   /etc/rc3.d/S20postfix
   /etc/rc4.d/S20postfix
   /etc/rc5.d/S20postfix
   /etc/rc6.d/K20postfix

And the old cert wes destroyed: 

# cd /etc/postfix/tls/
# shred -uv -n 100 sarai.crt
# shred -uv -n 100 sarai.key

Apache configuration

See: CaCertSsl#HTTP_multiple_domain_names

The apache configuration file, /etc/apache/vhosts/lists.indymedia.org was edited: 

SSLCertificateFile /etc/crypt/sarai_server.pem
SSLCertificateKeyFile /etc/crypt/sarai_privatekey.pem

And apache was stopped and started and then set not to run on boot: 

# /etc/init.d/apache stop
# /etc/init.d/apache start
# update-rc.d -f apache remove
 update-rc.d: /etc/init.d/apache exists during rc.d purge (continuing)
 Removing any system startup links for /etc/init.d/apache ...
   /etc/rc0.d/K91apache
   /etc/rc1.d/K91apache
   /etc/rc2.d/S91apache
   /etc/rc3.d/S91apache
   /etc/rc4.d/S91apache
   /etc/rc5.d/S91apache
   /etc/rc6.d/K91apache

And the old certs were destroyed: 

# shred -uv -n 100 /etc/apache/ssl.crt/cacert-server.crt 
# shred -uv -n 100 /etc/apache/ssl.key/cacert-private.key
Edit  | Attach | Print version | History: r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r2 - 05 Oct 2006, ChrisC
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback