Automated Distributed File System Decryption
This is a collection of scripts to automatically decrypt a file system when booting a linux system without the need of having the file locally on the system. The scripts are featured in a talk for Chemnitzer Linuxtage 2022 https://chemnitzer.linux-tage.de/2022/de/programm/beitrag/253 (The talk is german)
Store that somewhere safe. Together with the LUKS header things can be decrypted.
dd if=/dev/urandom of=/dev/shm/key bs=1M count=1
Using base64 makes it a lot easier to handle the file. Transfer the splitted key to the remote systems.
base64 /dev/shm/key /dev/shm/key_b64
split -n 2 /dev/shm/key_b64 key_
There is only one key present in the LUKS container. And that one is not human readable.
cryptsetup luksFormat --key-file /dev/shm/key /dev/vdb
cryptsetup luksOpen --key-file /dev/shm/key /dev/vdb lukscrypt
mkfs.ext4 /dev/mapper/lukscrypt
Store that somewhere safe. Together with the key things can be decrypted.
cryptsetup luksHeaderBackup /dev/vdb --header-backup-file /dev/shm/headerbackup
Just for the sake of completeness. You should consider reading the LUKS manpage anyway.
cryptsetup luksHeaderRestore /dev/vdb --header-backup-file /dev/shm/headerbackup
Works for most distributions.
cp mount-enc-fs.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable mount-enc-fs.service
If you are running the knockd somewhere you usually have that one behing a firewall, so opening the ports is important. The port obviously depends on the destination.
firewall-cmd --permanent --zone=public --add-port=8001-8004/tcp
or
iptables -A INPUT -p tcp -m iprange --dst-range 8001-8004
To add a ssh connection with a pretty restricted key you can add the following to ~/.ssh/authorized_keys
command="if [[ \"$SSH_ORIGINAL_COMMAND\" =~ ^scp[[:space:]]-f[[:space:]]/some/absolute/path ]]; then $SSH_ORIGINAL_COMMAND ; else echo no access; fi",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-ed25519 AAAA...
Do at your own risk as this will overwrite an existing file. Remember to adjust /etc/default/knockd if needed.
cp knockd.conf /etc/
knockd.confKnock daemon configuration file, usually to be placed under /etc/knockd.conf. Remember that this file is only an example and has to be customized for every node.mount_encrytped_filesystem.shScript to fetch all key parts and mount the encrypted filesystem. Header section has to be customized. This is where all the magic happens. Hsa to be placed under /root/ if you are using the vanilla service file (see below)mount-enc-fs.serviceSystemd unit file, usually to be placed under /etc/systemd/systemunmount_encrypted_filesystem.shScript to unmount the filesystem. Actually this is part of mount_encrypted_filesystem.sh and only there for convenience. Should be placed along mount_encrypted_filesystem.sh