Encrypted VM
Jump to navigation
Jump to search
I've done this with a 5 dollar VPS that has VNC access and a recovery ISO boot option.
https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
https://blog.kamens.us/2017/07/25/howto-converting-an-unencrypted-ubuntu-root-disk-to-encrypted/
This is a cleaned up version of my notes, you will need to really understand linux boot.
Basically:
- First you need to test ssh to the server, and VNC. Ensure you can boot the recovery. You'll need another server to bounce shit off of.
- I had a 25g partition as / on this. I need to resize this so I can move shit around.
How to resize it
Disk /dev/vda: 25 GiB, 26843545600 bytes, 52428800 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: Device Start End Sectors Size Type /dev/vda1 2048 4095 2048 1M BIOS boot /dev/vda2 4096 50329087 50324992 24G Linux filesystem /dev/vda3 50329088 52426239 2097152 1G Linux swap
First boot to rescue
Then e2fsck -f /dev/vda2
rescue # e2fsck -f /dev/vda2 e2fsck 1.43.4 (31-Jan-2017) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information /dev/vda2: 161363/1572864 files (0.5% non-contiguous), 1070470/6290624 blocks
Then resize2fs /dev/vda2 10G
rescue # resize2fs /dev/vda2 10G resize2fs 1.43.4 (31-Jan-2017) Resizing the filesystem on /dev/vda2 to 2621440 (4k) blocks. The filesystem on /dev/vda2 is now 2621440 (4k) blocks long.
Now knowing that the disk is in 512 byte blocks we need to resize it to fit
(50329087-4096)*512/4096 = 6,290,623.875 or 6290624
2621440*4096 = 10,737,418,240 bytes
10,737,418,240/512 = 20,971,520 512k blocks
Add 4 more blocks to it
20,971,524 blocks is the new length
4096 + 20971524 = 20975616 last sector
rescue # fdisk /dev/vda
Welcome to fdisk (util-linux 2.29.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): p
Disk /dev/vda: 25 GiB, 26843545600 bytes, 52428800 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier:
Device Start End Sectors Size Type
/dev/vda1 2048 4095 2048 1M BIOS boot
/dev/vda2 4096 50329087 50324992 24G Linux filesystem
/dev/vda3 50329088 52426239 2097152 1G Linux swap
Command (m for help): d
Partition number (1-3, default 3): 2
Partition 2 has been deleted.
Command (m for help): n
Partition number (2,4-128, default 2): 2
First sector (4096-52428766, default 4096): 4096
Last sector, +sectors or +size{K,M,G,T,P} (4096-50329087, default 50329087): 20975616
Created a new partition 2 of type 'Linux filesystem' and of size 10 GiB.
Partition #2 contains a ext4 signature.
Do you want to remove the signature? [Y]es/[N]o: n
Command (m for help): p
Disk /dev/vda: 25 GiB, 26843545600 bytes, 52428800 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier:
Device Start End Sectors Size Type
/dev/vda1 2048 4095 2048 1M BIOS boot
/dev/vda2 4096 20975616 20971521 10G Linux filesystem
/dev/vda3 50329088 52426239 2097152 1G Linux swap
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
rescue # mount /dev/vda2 /mnt
rescue # cd /mnt
rescue # ls
bin dev home initrd.img.old lib64 media opt root sbin srv tmp var vmlinuz.old
boot etc initrd.img lib lost+found mnt proc run snap sys usr vmlinuz
rescue # df -h
Filesystem Size Used Avail Use% Mounted on
udev 110M 0 110M 0% /dev
tmpfs 25M 4.4M 20M 18% /run
/dev/vdb1 1.1G 660M 375M 64% /
tmpfs 121M 0 121M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 121M 0 121M 0% /sys/fs/cgroup
tmpfs 25M 0 25M 0% /run/user/0
/dev/vda2 9.8G 3.7G 5.7G 40% /mnt
**Delete the swap**
**Copy the file via ssh to backup host**
dd if=/dev/vda2 | gzip -1 - | ssh $host dd of=/home/vda2.img.gz
Ok, now we need to make a new partition layout
1 - efi 2 - boot 3 - swap 4 - root +20979713 (including extra space for LUKS) export PAGER='/bin/more’ rescue # fdisk /dev/vda Welcome to fdisk (util-linux 2.29.2). Changes will remain in memory only, until you decide to write them. Be careful before using the write command. Command (m for help): p Disk /dev/vda: 25 GiB, 26843545600 bytes, 52428800 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: Device Start End Sectors Size Type /dev/vda1 2048 4095 2048 1M BIOS boot /dev/vda2 4096 4198399 4194304 2G Linux filesystem /dev/vda3 4198400 8392703 4194304 2G Plan 9 partition /dev/vda4 8392704 29364223 20971520 10G Linux filesystem Command (m for help): t Partition number (1-4, default 4): 3 Hex code (type L to list all codes): 19 Changed type of partition 'Plan 9 partition' to 'Linux swap'. Command (m for help): p Disk /dev/vda: 25 GiB, 26843545600 bytes, 52428800 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: Device Start End Sectors Size Type /dev/vda1 2048 4095 2048 1M BIOS boot /dev/vda2 4096 4198399 4194304 2G Linux filesystem /dev/vda3 4198400 8392703 4194304 2G Linux swap /dev/vda4 8392704 29364223 20971520 10G Linux filesystem Command (m for help): w The partition table has been altered. Calling ioctl() to re-read partition table. Syncing disks. Add crypt setup to the rescue apt-get install cryptsetup
Now since we're on VNC, and it's unencrypted, use a temp passwd
rescue # cryptsetup luksFormat /dev/vda4 WARNING! ======== This will overwrite data on /dev/vda4 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: changeme Verify passphrase: changeme cryptsetup luksOpen /dev/vda4 rootencdev Enter passphrase for /dev/vda4: cryptsetup resize rootencdev
copy it all back to the server now
ssh $SERVER "dd if=vda2.img.gz " | gunzip -c | dd of=/dev/mapper/rootencdev status=progress apt-get install vim rsync
mnt/root/etc/crypttab
rootencdev /dev/vda4 none luks,discard
After this mount it
mkdir /mnt/root && mount /dev/mapper/rootencdev /mnt/root
make a fs on the new boot
rescue # mkfs.ext4 /dev/vda2 mv -T /mnt/root/boot /mnt/root/boot.orig mkdir /mnt/root/boot && mount /dev/vda2 /mnt/root/boot rsync -av /mnt/root/boot.orig/ /mnt/root/boot/ for dir in /sys /proc /dev; do mount --bind $dir /mnt/root$dir; done chroot /mnt/root /bin/bash sudo apt update sudo apt upgrade sudo apt install dropbear-initramfs cd /etc/dropbear-initramfs vim config DROPBEAR_OPTIONS="-I 180 -j -k -p 2222 -s” RESCUE ip config on kernel cmdline : ip=$IPv4::$GW:$MASK::eth0:none #vim /etc/initramfs-tools/initramfs.conf IP=$IPv4::$GW:$MASK:$HOSTNAME sudo update-initramfs -u -v cp /root/.ssh/authorized_keys /etc/dropbear-initramfs/ update-initramfs -u -k all grub-install /dev/vda update-grub reboot
ssh in and unlock it.
ssh -p 2222 $IP cryptroot-unlock cryptsetup luksChangeKey /dev/vda4 Now add the crypto to the swap device vim /etc/crypttab # <target name> <source device> <key file> <options> rootencdev /dev/vda4 none luks,discard swap /dev/vda3 /dev/urandom swap,cipher=aes-xts-plain64,size=256 root@$HOSTNAME:~# vim /etc/fstab /dev/mapper/swap swap swap defaults 0 0
