Cannot decrypt swap partition with Mandos inside a LV (LVM)

Olivier Molinete olivier at molinete.org
Sat May 31 21:04:11 CEST 2014 

 

Hello Dick, 

Thanks for your answer :) 

Yep, I got the same same password on both LV's, but I prefered to create
a binary key following my own steps after reading some examples out
there:

# mkdir /etc/keys/luks
# chmod 700 /etc/keys/luks

# dd if=/dev/urandom of=/etc/keys/luks/swap.key bs=1024 count=4

# chmod 400 /etc/keys/luks/*
# cryptsetup luksAddKey /dev/mapper/sda_volgrp_crypt-logvol02_swap
/etc/keys/luks/swap.key 
# vi /etc/crypttab
#<target name> <source device> <key file> <options>
sda_volgrp_crypt-logvol01_root_crypt
/dev/mapper/sda_volgrp_crypt-logvol01_root none luks,tries=3
sda_volgrp_crypt-logvol02_swap_crypt
/dev/mapper/sda_volgrp_crypt-logvol02_swap /etc/keys/luks/swap.key
luks,swap,tries=3

# grub-install /dev/sda
# update-grub && update-initramfs -u -k all 

Relating to the GnuTLS and RSA problem, it could be, but if it was that,
Mandos will never authenticate my mandos-client host as it did two days
ago. In addition, no apt's update was performed in both machines
(mandos-server and mandos-client) for at least two weeks ago. 

Is for that reason that I have no idea where the ball is, and where to
look... :-S 

Maybe Mandos has some kind of cache or propietary database where this
kind of data relating to the mandos-clients is stored and could be
purged, but apart the file /var/lib/mandos/clients.pickle (which does
not exist on my mandos-server), I don't know where to search... 

Could somebody help me, please? 

Thank you very much in advance, once again :) 

Kind regards,
Olivier Molinete 

On 31/05/2014 18:16, Dick Middleton wrote: 

> On 05/30/14 12:33, Olivier Molinete wrote:
> Once the system has started booting, Mandos is out of the picture, and is no longer relevant. In your situation, I would suggest that you save the password for other crypto devices, like your swap partition, in a keyfile (I would suggest putting it in something like /etc/keys/swap) and edit /etc/crypttab to reference that keyfile (in the third field).

I'm not sure if this is relevant: I have the same arrangement as you
with each
LV separately encrypted. (This is because in the early days using a LUKS
partition for a PV didn't work). I have my swap in a real partition but
it
uses the same passphrase as the root disc. Rather than be prompted twice
I do
this in the crypttab file:

swap UUID=..... root
luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived

I've no idea how it works but it does!

I've had a lot of problems in the past with mandos vs gnutls esp with
rsa encryption. I think the problems have finally been solved but you do
need to use recent versions of gnutls. The main symptom is it doesn't
get the key from the mandos server even though everything is configured
correctly.

Dick -- Dick Middleton
dick at fouter.net 

_______________________________________________
Mandos-Dev mailing list Mandos-Dev at recompile.se

https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev [1] 
 

Links:
------
[1] https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20140531/05984de5/attachment.html>

More information about the Mandos-Dev mailing list