1
1
I need to configure encrypted disk on RHEL6, but the key should be stored on the network server/database, encrypted disk should get decyrpted during boot or after boot using this key and without asking any passphrase.
user3912750
Posted 2014-08-06T06:31:22.227
Reputation: 11
1
You can set this up using a crypttab keyscript, example crypttab entry:
# target,sourcedev,keyfile,options
cdisk3 /dev/sda3 none cipher=twofish,hash=ripemd160,size=256,keyscript=/path/to/script
The script will be executed with keyfile (in this case, "none") as the only argument, and the output from the script will be used as the key.
It gets the rest of the input as environment variables:
CRYPTTAB_NAME
The target name
CRYPTTAB_SOURCE
The source device
CRYPTTAB_KEY
The key file
CRYPTTAB_OPTIONS
A list of exported crypttab options
CRYPTTAB_OPTION_<option>
The value of the appropriate crypttab option, with value set to 'yes'
in case the option is merely a flag.
I got most of this from Manual page crypttab(5), it's better written than what i can provide.
Of course, a setup like this will be difficult to make secure, and it depends a lot on what you put in your script.
feitingen
Posted 2014-08-06T06:31:22.227
Reputation: 64
0
IMHO you can only do this for non-boot and non-root disks. To access a network service to get the credentials, Linux would have to:
You could write a shell script for it and make sure it gets started at boot time. Keep in mind that you would have to store the credentials of the network share/database on the client system, which kind of defeats the purpose :)
mtak
Posted 2014-08-06T06:31:22.227
Reputation: 11 805
0
There is a tool already out there for doing pretty much what you want, at least assuming that you aren't booting from such an encrypted volume (unattended booting from an encrypted volume comes with its own set of problems, and while there are clear indications that it's doable using this, I don't think I'd want to try it on a first attempt at least). It's called Mandos.
Basically what it does is store the key on a separate system (the Mandos server) and allows the client to query for it in a secure fashion. Once the client has the key, that key can be used to unlock a LUKS container.
You would of course have to protect the Mandos server appropriately, but that's an issue with any key storage, and certainly not unique to Mandos.
There is a diagram of how it works on the web site.
a CVn
Posted 2014-08-06T06:31:22.227
Reputation: 26 553