...stuff I do and things I like...

Wednesday, May 02 2007

Crypted Root Server

some time ago I setup a new root server for a new project of a friend and myself, this time I wanted to go full crypto. In the beginning I thought this might be a lot of work but as it turned out it is quite simple if you do some thinking.

There are many ways to do this, this is how I did it.

The setup works like this: the server boots into a minimal system starting only the SSH daemon. The you login and enter/upload the passphrase to unlock the disk(s). Finally you tell the system that you are done, after which you are kicked out and the system completes the boot by mouting the real root partition and executing init from there. At this point everything is as usual.

There are two basic parts in this setup: first building a good minimal system so you don't waste too much space and second build the init script for the minimal system.

The minimal system needs to contain stuff like: sshd, filesystem tools such as mkfs, fsck, fdisk, etc., cryptsetup, networking tools like ifconfig, route, ip, etc., mdadm (if you run raid), and of course all the required libraries. The easiest way to do this is using the recovery tool your hoster provides. Just setup a minimal system on one partition and strip it down before moving it to the boot partition.

The init script is quite simple, it needs to do three things: first, configure the network (ip address and route); second, start sshd; and third, start the actual system after the root partition has been unlocked. My script works as follows: after sshd has been started the script waits for a file to be created in the tmp directory. As soon as the file is created all ssh processes are killed, and the real system is booted.


Files:
    file list of my minimal system
    init script for minimal system (touch /tmp/READY_TO_BOOT after you unlocked the root partition)


Some notes:
    You need to encrypt your swap otherwise this is useless!
    If you upload a key to your minimal system only upload to key to a ram drive, never write it to disk. Otherwise all the work is useless!
    Remember your key! Remember your key! Remember your key!


Todo:
    Filesystem integrity check for the minimal system. This is a very hard task and I don't have a solution so far.