Decryption of encrypted root partition from USB key

Support for security such as Firewalls and securing linux
Post Reply
sv-jshields
Posts: 1
Joined: 2015/07/22 14:36:55

Decryption of encrypted root partition from USB key

Post by sv-jshields » 2015/07/22 15:33:25

We recently had to upgrade one of our clusters to CentOS 7 due to a hardware issue with a specific unresolved Dell NIC issue.
(https://bugzilla.redhat.com/show_bug.cgi?id=693542)

I hadn't used CentOS 7 at all or the Fedora/RHEL/Scientific derivatives and was in for a surprise with the change to systemd. After very quickly learning how to everything in systemd (more or less) I got the system operational but I couldn't use our previous method for encrypted root partition decryption from a USB key. I did however find several suggestions on this forum that didn't work for me, though they all got me in the right direction.

Here are the steps that we are using for our production machines for boot time decryption (This assumes you setup an clear text boot partition and an encrypted LVM during installation):

USB Decryption

Once the OS is up and running, insert the USB key to hold the decryption key.

USB key

Partition and format the USB key (I wrote this guide for internal use while testing on a XenServer, update the paths accordingly):

Code: Select all

fdisk /dev/xvdc
...
mkfs.ext3 /dev/xvdc1
...
Create the key mount point:

Code: Select all

mkdir /boot/tmp
Mount the boot key device:

Code: Select all

mount /dev/xvdc1 /boot/tmp
Create the boot key:

Code: Select all

dd if=/dev/urandom of=/boot/tmp/.boot_key bs=2 count=512
Find the LUKS device:

Code: Select all

grep linux16 /boot/grub2/grub.cfg
...
	linux16 /vmlinuz-3.10.0-229.7.2.el7.x86_64 root=/dev/mapper/centos_lb--tds--jbod0002-root ro crashkernel=auto rd.md.uuid=df235c66:f77674c0:5beffcd9:f2e9d49a rd.lvm.lv=centos_lb-tds-jbod0002/swap rd.luks.uuid=luks-0501aed9-6234-484a-9faf-3a6882be00c6 rd.lvm.lv=centos_lb-tds-jbod0002/root vga=791 LANG=en_US.UTF-8 systemd.debug
...
Here the LUKS device is luks-0501aed9-6234-484a-9faf-3a6882be00c6

Add the key to this device, enter the same passphrase you entered when creating the disk device:

Code: Select all

cryptsetup luksAddKey /dev/disk/by-uuid/0501aed9-6234-484a-9faf-3a6882be00c6 /boot/tmp/.boot_key
Dracut

Create a new dracut config file /etc/dracut.conf.d/usb-decrypt.conf with the following lines (Use whatever filesystem you used on the boot key):

Code: Select all

omit_dracutmodules+="systemd"
filesystems+="ext3"
Create a new initramfs via dracut:

Code: Select all

dracut -fv
GRUB

Get the UUID of the USB key:

Code: Select all

ls -l /dev/disk/by-uuid
...
lrwxrwxrwx. 1 root root 11 Jun 29 11:00 935730ba-fe67-41d1-baad-a4d79450854d -> ../../xvdc1
...
Update /etc/default/grub line GRUB_CMDLINE_LINUX to include the rd.luks.key kernel parameter pointing the UUID of the USB key and the absolute path of the key on the disk

Code: Select all

rd.luks.key=/.boot_key:UUID=d6bad5c2-2616-49cc-bc8d-5cf1cdadff5d
Create a new GRUB configuration:

Code: Select all

grub2-mkconfig -o /boot/grub2/grub.cfg
Reboot to confirm the key decrypts the root partition.

Using this approach kernel and dracut upgrade are also safe, I've performed several so far without any problems.

Post Reply

Return to “CentOS 7 - Security Support”