Как я могу разрешить автоматическую расшифровку зашифрованного диска на RHEL6?

1237
user3912750

Мне нужно настроить зашифрованный диск на RHEL6, но ключ должен храниться на сетевом сервере / базе данных, зашифрованный диск должен расшифровываться во время загрузки или после загрузки с использованием этого ключа и без запроса какой-либо парольной фразы.

1

3 ответа на вопрос

1
feitingen

You can set this up using a crypttab keyscript, example crypttab entry:

# target,sourcedev,keyfile,options cdisk3 /dev/sda3 none cipher=twofish,hash=ripemd160,size=256,keyscript=/path/to/script

The script will be executed with keyfile (in this case, "none") as the only argument, and the output from the script will be used as the key.

It gets the rest of the input as environment variables:

 CRYPTTAB_NAME The target name CRYPTTAB_SOURCE The source device CRYPTTAB_KEY The key file CRYPTTAB_OPTIONS A list of exported crypttab options CRYPTTAB_OPTION_<option> The value of the appropriate crypttab option, with value set to 'yes' in case the option is merely a flag.

I got most of this from Manual page crypttab(5), it's better written than what i can provide.

Of course, a setup like this will be difficult to make secure, and it depends a lot on what you put in your script.

0
mtak

IMHO you can only do this for non-boot and non-root disks. To access a network service to get the credentials, Linux would have to:

  1. Boot the system
  2. Set up a remote mount
  3. Retrieve the creds
  4. Mount the disk

You could write a shell script for it and make sure it gets started at boot time. Keep in mind that you would have to store the credentials of the network share/database on the client system, which kind of defeats the purpose :)

0
a CVn

There is a tool already out there for doing pretty much what you want, at least assuming that you aren't booting from such an encrypted volume (unattended booting from an encrypted volume comes with its own set of problems, and while there are clear indications that it's doable using this, I don't think I'd want to try it on a first attempt at least). It's called Mandos.

Basically what it does is store the key on a separate system (the Mandos server) and allows the client to query for it in a secure fashion. Once the client has the key, that key can be used to unlock a LUKS container.

You would of course have to protect the Mandos server appropriately, but that's an issue with any key storage, and certainly not unique to Mandos.

There is a diagram of how it works on the web site.

Похожие вопросы