Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
howto:unlock_cryptroot_usb [2017/02/08 00:20] romain |
howto:unlock_cryptroot_usb [2018/12/08 22:28] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | **//Work in progress!!!//** | ||
| - | |||
| //Disclaimer: I only tried this with the LIME2 hardware// | //Disclaimer: I only tried this with the LIME2 hardware// | ||
| - | The goal of this howto is to be able to unlock the rootfs of the encrypted version of the Internet Cube by using a USB key, as an alternative to providing the passphrase (in my case, because I can't unlock the rootfs through the network) | + | //Disclaimer2: It can be really easy to get locked out of the system if anything goes wrong (like a mistake in the helper script), so backup your important data (and the functional initramfs) and consider the necessity of physical intervention (through the serial port or simply by accessing the Cube's SD card from your PC)// |
| ====== Introduction ====== | ====== Introduction ====== | ||
| + | |||
| + | The goal of this howto is to be able to unlock the rootfs of the encrypted version of the Internet Cube by using a USB key, as an alternative to providing the passphrase (in my case, because I can't unlock the rootfs through the network). | ||
| + | |||
| + | Note that it doesn't replace the traditional authentication mecanism with the passphrase, it only adds another authentication mecanism through the presence of a USB key. | ||
| There are different ways of unlocking a LUKS partition, for example with a passfile on a USB stick. | There are different ways of unlocking a LUKS partition, for example with a passfile on a USB stick. | ||
| - | I decided to use a USB key, a devoted USB stick filled with random data containing the content of the keyfile, already documented on the internet (for example [[https://binblog.info/2008/12/04/using-a-usb-key-for-the-luks-passphrase/|here]]). The summary of the steps I followed will be pretty much the same, except for the last issue I faced which was more specific to the Internet Cube. | + | I decided to use a USB key, a devoted USB stick filled with random data containing the content of the keyfile, already documented on the internet (for example [[https://binblog.info/2008/12/04/using-a-usb-key-for-the-luks-passphrase/|here]]). The steps I followed are pretty much the same, except for the last issue I faced which was more specific to the Internet Cube. |
| + | |||
| + | I started from an already working instance of the Cube (encrypted image of course). | ||
| + | |||
| + | ====== Why would you do that ====== | ||
| + | |||
| + | * You don't want to fire up the browser to enter the passphrase each time you boot the Cube | ||
| + | * You don't have access to the local network on which the Cube is (and you don't have a way to connect to the serial port of the Cube) | ||
| + | * You don't trust the local network and/or TLS and you prefer to interact physically with the Cube (in that case, using the serial port of the Cube is also an option) | ||
| + | |||
| + | Note also that, as in any security system, the overall security boils down to the security of the weaker point. For example, if you keep the USB stick plugged all the time, it would be the same as if you didn't have any encryption on the disk. | ||
| - | I started from an already working instance of the Cube. | + | Keep also in mind that if you want to protect the data from physical stealing (by stealing the hardware), you should avoid to keep the Cube and the key in the same place (two different places in the same room, with no apparent link between the USB stick and the Cube, like a "Cube decryption key" sticker or equivalent, is IMHO a bare minimum). |
| ====== Preparation of the USB key ====== | ====== Preparation of the USB key ====== | ||
| Line 131: | Line 143: | ||
| <file> | <file> | ||
| - | #LINUX_KERNEL_CMDLINE="console=ttyS1 hdmi.audio=EDID:0 disp.screen0_output_mode=EDID:1280x720p60 root=/dev/mapper/root **cryptopts=target=root,source=/dev/mmcblk0p2,cipher=aes-xts-plain64,size=256,hash=sha1** rootwait sunxi_ve_mem_reserve=0 sunxi_g2d_mem_reserve=0 sunxi_no_mali_mem_reserve sunxi_fb_mem_reserve=0 panic=10 loglevel=6 consoleblank=0" | + | #LINUX_KERNEL_CMDLINE="console=ttyS1 hdmi.audio=EDID:0 disp.screen0_output_mode=EDID:1280x720p60 root=/dev/mapper/root cryptopts=target=root,source=/dev/mmcblk0p2,cipher=aes-xts-plain64,size=256,hash=sha1 rootwait sunxi_ve_mem_reserve=0 sunxi_g2d_mem_reserve=0 sunxi_no_mali_mem_reserve sunxi_fb_mem_reserve=0 panic=10 loglevel=6 consoleblank=0" |
| LINUX_KERNEL_CMDLINE="console=ttyS1 hdmi.audio=EDID:0 disp.screen0_output_mode=EEDID:1280x720p60 root=/dev/mapper/root rootwait sunxi_ve_mem_reserve=0 sunxi_g2d__mem_reserve=0 sunxi_no_mali_mem_reserve sunxi_fb_mem_reserve=0 panic=10 loglevel=6 consoleblank=0" | LINUX_KERNEL_CMDLINE="console=ttyS1 hdmi.audio=EDID:0 disp.screen0_output_mode=EEDID:1280x720p60 root=/dev/mapper/root rootwait sunxi_ve_mem_reserve=0 sunxi_g2d__mem_reserve=0 sunxi_no_mali_mem_reserve sunxi_fb_mem_reserve=0 panic=10 loglevel=6 consoleblank=0" | ||
| </file> | </file> | ||
| Line 144: | Line 156: | ||
| Now, you should be able to unlock your root partition with the USB key you prepared, your Internet Cube should be up without having to enter any passphrase! | Now, you should be able to unlock your root partition with the USB key you prepared, your Internet Cube should be up without having to enter any passphrase! | ||
| + | |||
| **/!\ Don't forget to unplug the USB key after boot and store it in a safe place /!\** | **/!\ Don't forget to unplug the USB key after boot and store it in a safe place /!\** | ||