Encrypted Partitions on Traven

Temporary partitions

The swap partition and /tmp are both on encrypted partitions using random keys. These keys are lost at power-off, which means that any data is then unrecoverable.

Permanent partitions

There is currently one permanent encrypted partition, mounted at /var/lib/postgres/data. However, the following should also apply to any others that are created.

  • UPDATE: there is a new encrypted partition, mounted at /var/secure. This can me mounted in the same way -- just substitute the name of the mount point.

Such partitions cannot be automatically mounted, as they require a key which is not present on the machine. As a consequence, postgres and tomcat will not be started automatically since the data directory is not available.

There is one master key, which is basically a long random string. As an admin, you should keep a copy in a safe place encrypted to yourself with gpg. This file will be referred to as traven.gpg. It should never be stored unencrypted, or copied to traven (except transiently as input to the mount command).

The fstab entry specifies /etc/loop-aes/postgres_data.gpg as a keyfile. This is symmetrically encrypted using the master key as a passphrase. It should never be copied off traven, or stored unencrypted. Each encrypted partition needs its own keyfile in /etc/loop-aes -- there is a known cryptographic weakness if one keyfile is used for two partitions (although it's fine to have those keyfiles encrypted with the same gpg key).

To mount the filesystem, you need to do:

gpg -o - traven.gpg | ssh traven.indymedia.org sudo mount -p 0 /var/lib/postgres/data

making sure that sudo won't ask you for a password (so run "sudo -v" if you aren't already authenticated).

You can then do:

/etc/init.d/postgresql start
/etc/init.d/tomcat4 start

to start the services that require the encrypted data.

You can optionally script some of this, for example, amend and save this file in ~/bin/ as traven-mount or something:

#!/bin/bash

GPG_FILE=~/.gpg/traven.gpg
SERVER=traven.indymedia.org

echo "First ssh to traven and do something like 'sudo uptime'"
echo "Then run this script -- Ctrl C to start again"
echo "See http://docs.indymedia.org/view/Sysadmin/TravenEncryptedPartitions"
echo "(The reason why 'ssh traven.indymedia.org sudo uptime' isn't in this"
echo "script is that although this works it results in your password displaying"
echo "on your local machine...)" 

gpg -o - $GPG_FILE | ssh $SERVER sudo mount -p 0 /var/lib/postgres/data
gpg -o - $GPG_FILE | ssh $SERVER sudo mount -p 0 /var/secure

ssh $SERVER sudo /etc/init.d/postgresql start

ssh $SERVER sudo /etc/init.d/tomcat4 start

Creating a new encrypted partition

To create a new encrypted partition, PARTITION_NAME, from the device /dev/DEVICE_NAME, mounted at /MOUNT_POINT, do:

gpg -o - traven.gpg | \
  ssh traven.indymedia.org \
    "{ cat; head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65; } | \
       gpg -ac --passphrase-fd 0 --batch --no-tty >temp.gpg"

then move temp.gpg to /etc/loop-aes/PARTITION_NAME, and chown/chmod it to root:root 400.

(The above requires a reasonable amount of entropy. Fortunately the motherboard in traven contains a hardware random number generator, which speeds this up considerably.)

Now fill the device with pseudorandom data, set up the loop device, build the filesystem, and close the loop device again:

ssh traven.indymedia.org sudo dd if=/dev/urandom of=/dev/DEVICE_NAME bs=1024k

gpg -o - traven.gpg | \
  ssh traven.indymedia.org \
    sudo losetup -p 0 -e AES256 -K /etc/loop-aes/PARTITION_NAME.gpg /dev/loop7 /dev/DEVICE_NAME

ssh traven.indymedia.org sudo mkfs.ext3 /dev/DEVICE_NAME

ssh traven.indymedia.org sudo losetup -d /dev/loop7

and finally add an entry to fstab:

/dev/DEVICE_NAME /var/lib/postgres/data ext3 noauto,encryption=aes256,gpgkey=/etc/loop-aes/PARTITION_NAME.gpg,loop=/dev/loopN 0 0

choosing the next free loop device for /dev/loopN and adding any other relevant options (noexec, nosuid, nodev etc).

Distributing the master key to other admins

Please don't leave unencrypted copies lying around when you do this... use something like the following to create a copy encrypted to another admin's key:

gpg -o - traven.gpg | gpg --for-your-eyes-only -aer USER@DOMAIN.TLD >OUTFILE.gpg

Don't do this unless you've verified the key you're encrypting to, either directly or via a trusted signature.

Certs

New certs are in /var/secure

At some point in the future it would probably make sense to use one cert and one IP address for all sites so that who is accessing which site would be more obscured... (although this information will still be exposed by the DNS query that obtains this IP address).

Delete the old certs and keys using shred:

shred -uv -n 100 /etc/ssl/certs/publish.indymedia.org.uk.crt
shred -uv -n 100 /etc/ssl/private/publish.indymedia.org.uk.key
shred -uv -n 100 /etc/ssl/certs/www0.indymedia.org.uk.crt
shred -uv -n 100 /etc/ssl/private/www0.indymedia.org.uk.key

UK

The UK cert was generated using the script on the CaCertSsl page and using these names:

Short Hostname (ie. imap big_srv www2): uk
FQDN/CommonName (ie. www.example.com) : publish.indymedia.org.uk
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:publish.indymedia.org.uk
SubjectAltName: DNS:www.publish.indymedia.org.uk
SubjectAltName: DNS:indymedia.org.uk
SubjectAltName: DNS:www.indymedia.org.uk
SubjectAltName: DNS:www0.indymedia.org.uk
SubjectAltName: DNS:uk.indymedia.org
SubjectAltName: DNS:www.uk.indymedia.org.uk
SubjectAltName: DNS:traven.indymedia.org

-- ZaK - 21 May 2005
Topic revision: r6 - 11 Jan 2007, ZaK
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback