Skip to main content

Add encryption key to device after installation

I started to use encryption on my drives during installation (and also with external drives).  As ironic as this sounds:  I'm sick of entering my encryption pass-phrase every time I boot my laptop.  Even though what I am about to do is *less* secure, I still think it makes my machine pretty damn secure yet.
I am preventing someone from stealing my laptop and pulling the drive to get my data.  Yes, the machine boots - which means they either have to brute-force a login at the console, or hack a service once the machine is up.  At that point, they almost deserve my "sensitive data"...

Anyhow - if you would like to use encryption on your OS drive, but do not want to enter a passphrase, do the following:

dd if=/dev/urandom of=/root/.keyfile bs=32 count=1
chmod 0600 /root/.keyfile
cryptsetup luksAddKey /dev/sda4 /root/.keyfile
sed -i -e 's/none/\/root\/.keyfile/g' /etc/crypttab
dracut --force --install /root/.keyfile /boot/initramfs-`uname -r`.img

# SPECIAL CASE(S)
If you can't use the "whole device" (i.e. sda4 in this example)
run
[root@neo ~]# lsblk
NAME                                            MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                               8:0    0 223.6G  0 disk 
├─sda1                                            8:1    0   100M  0 part  /boot/efi
├─sda2                                            8:2    0   128M  0 part 
├─sda3                                            8:3    0 104.2G  0 part  /windows/C
├─sda4                                            8:4    0   256M  0 part  /boot
└─sda5                                            8:5    0  97.2G  0 part 
  ├─fedora-01                                   253:0    0  93.1G  0 lvm  
  │ └─luks-9d8c2cdc-aa74-4710-abc8-81f045573401 253:3    0  93.1G  0 crypt /
  └─fedora-00                                   253:1    0     4G  0 lvm  
    └─luks-5b9faf52-9831-4fe1-803b-750877c743e3 253:2    0     4G  0 crypt [SWAP]
mmcblk0                                         179:0    0 119.3G  0 disk 
└─mmcblk0p1                                     179:1    0 119.3G  0 part  /X1CARBON
cryptsetup luksAddKey /dev/mapper/fedora-00 /root/.keyfile
cryptsetup luksAddKey /dev/mapper/fedora-01 /root/.keyfile


# dracut --force --install /root/.keyfile /boot/initramfs-3.15.8-200.fc20.x86_64.img

Comments

Popular posts from this blog

P2V using dd for KVM-QEMU guest

Preface: I have certainly not exhaustively tested this process.  I had a specific need and found a specific solution that worked. Situation:  I was issued a shiny new laptop running Red Hat Enterprise Linux 7 (with Corp VPN, certs, Authentication configuration, etc...)  The image was great, but I needed more flexibility on my bare metal.  So, my goal was to P2V the corporate image so I could just run it as a VM. * Remove corporate drive and install new SSD * install corp drive in external USB-3 case * Install RHEL 7 on new SSD * dd old drive to a disk-image file in a temp location which will be an image which is the same size as your actual drive (unless you have enough space in your destination to contain a temp and converted image) * convert the raw disk-image to a qcow file while pushing it to the final location - this step should reduce the disk size - however, I believe it will only reduce/collapse zero-byte blocks (not just free space - i.e. if you de...

Sun USS 7100 foo

TIP: put ALL of your LUNs into a designated TARGET and INITIATOR group when you create them.  If you leave them in the "default" group, then everything that does an discovery against the array will find them :-( I'm struggling to recognize a reason that a default should even be present on the array. Also - who, exactly, is Sun trying to kid.  The USS is simply a box.. running Solaris .. with IPMP and ZFS.  Great.  If you have ever attempted to "break-in" or "p0wn" your IBM HMC, you know that there are people out there that can harden a box - then.. there's Sun.  After a recent meltdown at the office I had to get quite intimate with my USS 7110 and learned quite a bit.  Namely: there's a shell ;-) My current irritation is how they attempt to "warn you" away from using the shell (my coverage expired a long time ago to worry about that) and then how they try to hide things, poorly. I was curious as to what version of SunOS it ...

"Error getting authority: Error initializing authority: Could not connect: No such file or directory (g-io-error-quark, 1)"

"Error getting authority: Error initializing authority: Could not connect: No such file or directory (g-io-error-quark, 1)" One issue that may cause this to arise is if you managed to break your /etc/fstab We had an engineer add a line with the intended options of "nfsvers=3" but instead added "-onfsvers=3" and it broke the system fairly catastrophically.