Cannot decrypt swap partition with Mandos inside a LV (LVM)

Olivier Molinete olivier at molinete.org
Fri May 30 13:33:36 CEST 2014 

 

Hi Teddy!

On 29/05/2014 12:41, Teddy Hogeborn wrote:

>> But the problem comes when the swap encrypted partition has to be 
>> decrypted... It seems that mandos(-server) does not send the passphrase
>> in that case (to decrypt the swap partition), and the server with 
>> mandos-client waits forever with the passphrase prompt till you enter the 
>> passphrase manually through the console. My question is: Am I doing
>> something wrong? Am I missing something? Maybe it is a Mandos limitation
>> which I don't know, but I haven't found any info related to that issue in
>> the documentation or googlin'. 

> Once the system has started booting, Mandos is out of the picture, and
> is no longer relevant. In your situation, I would suggest that you save
> the password for other crypto devices, like your swap partition, in a
> keyfile (I would suggest putting it in something like /etc/keys/swap)
> and edit /etc/crypttab to reference that keyfile (in the third field).

Thank you very much, Teddy. I didn't know that solution. I've
implemented it
yesterday and it works great :)

> It seems like this problem is because of your unusual setup. You have:
> [HD] -> [Part.] -> [LVM PV] -> [LVM VG] -> [LVM LV] -> [LUKS] -> [FS]
> but the usual setup is:
> [HD] -> [Part.] -> [LUKS] -> [LVM PV] -> [LVM VG] -> [LVM LV] -> [FS]
>
> In this usual setup, there is only one encrypted device, and the swap is
> located on an LVM LV. Since there is only one encrypted device, Mandos
> can supply the decryption password at boot time with no further
> passwords needed.
>
> (To complete the picture: In the normal case, software RAID is placed
> between [Partition] and [LUKS], and hardware RAID looks like a [HD];
> i.e. it is located between [HD] and [Partition].)

Yep, that's right. You can use both setups (LVM on LUKS or LUKS on LVM).
I prefer LUKS on LVM for the reasons you can find on the comparison
table at
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Overview

Now, my problem is other: Yesterday, everything worked flawlessly, but
now I
don't know if I'm doing something wrong, because the machine with
mandos-client
does not get the password from the mandos(-server) on another machine.

Here is my config:

Host with mandos-client: (Called "all-in-one", on 192.168.1.100)
========================

/etc/default/grub:
------------------

[...]
GRUB_CMDLINE_LINUX_DEFAULT="ip=192.168.1.100::192.168.1.1:255.255.255.0:all-in-one:eth0
mandos=connect:192.168.1.165:4711 quiet locale=es_ES.UTF-8 nordrand
loglevel=2"
[...]

Mandos client data after executing "mandos-keygen --password":
--------------------------------------------------------------

[all-in-one]
host = all-in-one
fingerprint = C978376F75A37FCC1DCCF44F7EF7AA808895F276
secret =
 hQIMAwyhKB/kSSbzARAAqjg0cXIeisdbU+KejPvcd8Wnyv5fBtf0PgEds4QMVZY3
 LmLq4j3mM7uXWK1/K4AKFPHTY24N7DtvEUpVncCXkV4ajuPyoYGqZaYRVp1jGsp2
 [...]
 63+Nahwibhsj+ipFQToCQMIGkweFC8P5QWsuVyQblVUE6M2ANi4ig9cK7tMrC6VC
 m2bYTxkv

Host with mandos(-server): (Called "imandos01", on 192.168.1.165)
==========================

/etc/mandos/mandos.conf:
------------------------

# This file must have exactly one section named "DEFAULT".
[DEFAULT]

# These are the default values for the server, uncomment and change
# them if needed.

# If "interface" is set, the server will only listen to a specific
# network interface.
;interface = 
interface = eth0

# If "address" is set, the server will only listen to a specific
# address. This must currently be an IPv6 address; an IPv4 address
# can be specified using the "::FFFF:192.0.2.3" syntax. Also, if this
# is a link-local address, an interface should be set above.
;address =
address = ::FFFF:192.168.1.165

# If "port" is set, the server to bind to that port. By default, the
# server will listen to an arbitrary port.
;port = 
port = 4711

# If "debug" is true, the server will run in the foreground and print
# a lot of debugging information.
;debug = False

# GnuTLS priority for the TLS handshake. See gnutls_priority_init(3).
;priority =
SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160
priority =
SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160

# Zeroconf service name. You need to change this if you for some
# reason want to run more than one server on the same *host*.
# If there are name collisions on the same *network*, the server will
# rename itself to "Mandos #2", etc.
;servicename = Mandos
servicename = Mandos

# Whether to provide a D-Bus system bus interface or not
;use_dbus = True
use_dbus = True

# Whether to use IPv6. (Changing this is NOT recommended.)
;use_ipv6 = True
use_ipv6 = True

# Whether to restore saved state on startup
;restore = True
restore = True

# The directory where state is saved
;statedir = /var/lib/mandos
statedir = /var/lib/mandos

# Whether to run in the foreground
;foreground = False
;foreground = True

/etc/mandos/clients.conf:
-------------------------

# Default settings for all clients. These values are the default
# values, so uncomment and change them if you want different ones.
[DEFAULT]

# How long until a client is disabled and not be allowed to get the
# data this server holds.
;timeout = PT5M

# How often to run the checker to confirm that a client is still up.
# Note: a new checker will not be started if an old one is still
# running. The server will wait for a checker to complete until the
# above "timeout" occurs, at which time the client will be disabled,
# and any running checker killed.
;interval = PT2M

# Extended timeout is an added timeout that is given once after a
# password has been sent sucessfully to a client. This allows for
# additional delays caused by file system checks and quota checks.
;extended_timeout = PT15M

# What command to run as "the checker".
;checker = fping -q -- %%(host)s
checker = fping -q -- %%(host)s

# Whether to approve a client by default after the approval delay.
;approved_by_default = True
approved_by_default = True

# How long to wait for approval.
;approval_delay = PT0S
;approval_delay = PT0S

# How long one approval will last.
;approval_duration = PT1S
;approval_duration = PT1S

# Whether this client is enabled by default
;enabled = True
enabled = True

;####
;# Example client
;[foo]
;
;# OpenPGP key fingerprint
;fingerprint = 7788 2722 5BA7 DE53 9C5A 7CFA 59CF F7CD BD9A 5920
;
;# This is base64-encoded binary data. It will be decoded and sent to
;# the client matching the above fingerprint. This should, of course,
;# be OpenPGP encrypted data, decryptable only by the client.
;secret =
; hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234
; REJMVv7lBSrPE2132Lmd2gqF1HeLKDJRSVxJpt6xoWOChGHg+TMyXDxK+N
; Xl89vGvdU1XfhKkVm9MDLOgT5ECDPysDGHFPDhqHOSu3Kaw2DWMV/iH9vz
; 3Z20erVNbdcvyBnuojcoWO/6yfB5EQO0BXp7kcyy00USA3CjD5FGZdoQGI
; Tb8A/ar0tVA5crSQmaSotm6KmNLhrFnZ5BxX+TiE+eTUTqSloWRY6VAvqW
; QHC7OASxK5E6RXPBuFH5IohUA2Qbk5AHt99pYvsIPX88j2rWauOokoiKZo
; t/9leJ8VxO5l3wf/U64IH8bkPIoWmWZfd/nqh4uwGNbCgKMyT+AnvH7kMJ
; 3i7DivfWl2mKLV0PyPHUNva0VQxX6yYjcOhj1R6fCr/at8/NSLe2OhLchz
; dC+Ls9h+kvJXgF8Sisv+Wk/1RadPLFmraRlqvJwt6Ww21LpiXqXHV2mIgq
; WnR98YgSvUi3TJHrUQiNc9YyBzuRo0AjgG2C9qiE3FM+Y28+iQ/sR3+bFs
; zYuZKVTObqiIslwXu7imO0cvvFRgJF/6u3HNFQ4LUTGhiM3FQmC6NNlF3/
; vJM2hwRDMcJqDd54Twx90Wh+tYz0z7QMsK4ANXWHHWHR0JchnLWmenzbtW
; 5MHdW9AYsNJZAQSOpirE4Xi31CSlWAi9KV+cUCmWF5zOFy1x23P6PjdaRm
; 4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O
; QlnHIvPzEArRQLo=
;
;# Host name; used only by the checker, not used by the server itself.
;host = foo.example.org
;####

[all-in-one]
approved_by_default = True
enabled = True
host = all-in-one
#host = 192.168.1.100
fingerprint = C978376F75A37FCC1DCCF44F7EF7AA808895F276
secret =
 hQIMAwyhKB/kSSbzARAAqjg0cXIeisdbU+KejPvcd8Wnyv5fBtf0PgEds4QMVZY3
 LmLq4j3mM7uXWK1/K4AKFPHTY24N7DtvEUpVncCXkV4ajuPyoYGqZaYRVp1jGsp2
 [...]
 63+Nahwibhsj+ipFQToCQMIGkweFC8P5QWsuVyQblVUE6M2ANi4ig9cK7tMrC6VC
 m2bYTxkv

;####
;# Another example client, named "bar".
;[bar]
;# The fingerprint is not space or case sensitive
;fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27
;
;# If "secret" is not specified, a file can be read for the data.
;secfile = /etc/mandos/bar-secret.bin
;
;# An IP address for host is also fine, if the checker accepts it.
;host = 192.0.2.3
;
;# Parameters from the [DEFAULT] section can be overridden per client.
;interval = PT1M
;
;# This client requires manual approval before it receives its secret.
;approved_by_default = False
;# Require approval within 30 seconds.
;approval_delay = PT30S
;####

And this is what mandos-monitor shows:
--------------------------------------

2014-05-30T12:47:11.519245: Client with address ::ffff:192.168.1.100 and
fingerprint C978376F75A37FCC1DCCF44F7EF7AA808895F276 could not be found

- What am I doing wrong or missing??
- On the other hand, mandos has any kind of log? I searched on the
documentation
and I found nothing related :(

Could you please help me?? o:)

Thank you very much in advance once again, Teddy.

Kind regards,
Olivier Molinete

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20140530/20d8e2fe/attachment.html>

More information about the Mandos-Dev mailing list