Instalirajte i postavite CentOS 7 za daljinsko otključavanje LVM-a na LUKS šifriranju diska pomoću SSH-a

Preduvjeti

Korak 1: Postavljanje okruženja

Korak 2: Pokrenite instalacijski program CentOS 7 Text Mode

Korak 3: Postavite LVM na LUKS Full Disk Encryption

Korak 4: Pokrenite instalacijski program CentOS 7 GUI Mode

Korak 5: Ažurirajte sustav

Korak 6: Instalirajte Dracut-Crypt-SSH

LUKS (Linux Unified Key Setup) jedan je od različitih formata za šifriranje diska dostupnih za Linux koji je agnostičan platformi. Ovaj vodič će vam pružiti root i swap particije unutar LVM (Linux Volume Manager) volumena koji se nalazi unutar šifrirane LUKS particije. Ovaj vodič vam također omogućuje daljinsko otključavanje LUKS particije pomoću pojednostavljenog demona SSH poslužitelja koristeći bilo koji kompatibilni SSH klijentski program.

Preduvjeti

• Instanca poslužitelja CentOS 7 x64 Minimal ISO Library.
• Korisnik sudoa .
• SSH javni ključ(i) .
• Dracut-Crypt-SSH .

Korak 1: Postavljanje okruženja

Na stranici Deploy Servers učinite sljedeće:

• Odaberite lokaciju poslužitelja u Server Locationodjeljku.
• Odaberite CentOS7ispod ISO Librarykartice Server Typeodjeljka.
• Odaberite hardverske specifikacije koje trebate u Server Sizeodjeljku.
• Kliknite Deploy Nowgumb.

Koristite View Consoleopciju za pristup VPS instanci putem noVNC konzole.

Korak 2: Pokrenite instalacijski program CentOS 7 Text Mode

Odaberite Install CentOS Linux 7opciju.

Pritisnite Tabtipku.

Unesite textnakon vmlinuz initrd=initrd.img inst.stage2=hd:LABEL=CentOS\x207\x20\86_64 quiettako da izgleda ovako vmlinuz initrd=initrd.img inst.stage2=hd:LABEL=CentOS\x207\x20\86_64 quiet texti pritisnite Entertipku.

VPS će se sada pokrenuti u tekstualnom modu za instalaciju CentOS-a. Vidjet ćete zaslon u noVNC konzoli kao što je prikazano na slici ispod.

Korak 3: Postavite LVM na LUKS Full Disk Encryption

Upotrijebite Alt + Right Arrow Keykombinaciju za navigaciju do TTY2 konzole za upisivanje naredbi u naredbeni redak.

Upišite sljedeće naredbe u nastavku kako biste stvorili particiju koja će sadržavati GRUB2 pokretački program, nešifriranu /bootparticiju i primarnu particiju koja će sadržavati LUKS particiju.

parted -a opt -s /dev/vda mklabel gpt
parted -s /dev/vda unit mb
parted -s /dev/vda mkpart primary 1 3
parted -s /dev/vda name 1 grub
parted -s /dev/vda set 1 bios_grub on
parted -s /dev/vda mkpart primary 3 259
parted -s /dev/vda name 2 boot
parted -s /dev/vda mkpart primary 259 100%
parted -s /dev/vda name 3 root

Upišite sljedeću naredbu za prikaz rasporeda particije.

parted -s /dev/vda print

Zatim popunite imenovanu rootfsparticiju pseudo-slučajnim podacima. Ovo će trajati nešto više od pola sata.

dd if=/dev/urandom of=/dev/vda3 bs=1M status=progress

Na CentOS-u 7 cryptsetupnaredbe koriste zadanu šifru od aes-xts-plain64, zadanu veličinu ključa od 256 bita i zadani hash SHA1. Umjesto toga, LUKS particija će biti kreirana sa sigurnijom Serpent šifrom, s veličinom ključa od 512 bita i s Whirlpool hashom.

cryptsetup luksFormat /dev/vda3 -c serpent-xts-plain64 -h whirlpool -s 512

Unesite odgovore, kada se od vas zatraži sljedeći upiti, a zatim pritisnite Entertipku:

• Jesi li siguran? (Upišite velika slova da):YES
• Unesite šifru: strong-password
• Potvrdite zaporku: strong-password

---

Izborno: sigurnosna kopija zaglavlja LUKS particije

Upozorenje Ovo će omogućiti root prijavu i kopiranje bez upita za lozinku. Ubijte ovaj SSH poslužitelj nakon što dohvatite /tmp/luks-header-backup.imgdatoteku.

Radi sigurnog čuvanja, spremite kopiju zaglavlja LUKS particije. To osigurava da ako je zaglavlje vaše LUKS particije na neki način oštećeno, može se vratiti. Ako je zaglavlje oštećeno bez ispravne sigurnosne kopije, vaši su podaci zauvijek izgubljeni.

cryptsetup luksHeaderBackup /dev/vda3 --header-backup-file /tmp/luks-header-backup.img

Za kopiranje /tmp/luks-header-backup.imgdatoteke s poslužitelja, SSH poslužitelj mora biti privremeno pokrenut, koristeći izvršnu datoteku sigurne kopije scpna klijentskom hostu, kako bi je dohvatio.

Upišite sljedeću naredbu u nastavku da biste generirali SSH host ključeve.

sshd-keygen

Upišite sljedeću naredbu u nastavku da biste stvorili /etc/ssh/sshd_configdatoteku.

cp /etc/ssh/sshd_config.anaconda /etc/ssh/sshd_config

Upišite sljedeću naredbu u nastavku da biste uredili /etc/ssh/sshd_configdatoteku.

vi /etc/ssh/sshd_config

Da biste uredili datoteku, pritisnite Inserttipku i koristite tipke sa strelicama za navigaciju do dijelova datoteke koje je potrebno urediti.

U prvom redu promijenite broj Port 22iz zadanog od 22u nasumični broj po svom izboru između 1025i 65535. (Primjer: port 25782)

Pomaknite se prema dolje do retka broj trinaest, pritisnite Endtipku i pritisnite Entertipku.

U sljedećem retku dodajte HostKey /etc/ssh/ssh_host_ed25519_keyi pritisnite Entertipku.

U sljedećem retku dodajte HostKey /etc/ssh/ssh_host_rsa_keyi pritisnite Entertipku.

Pritisnite Esctipku, upišite :wqi pritisnite Entertipku za spremanje datoteke.

Zadano mrežno sučelje eth0treba IP adresu. Upišite sljedeću naredbu u nastavku da eth0mrežnom sučelju dodijelite IP adresu navedenu za vašu instancu .

dhclient

Unesite sljedeću naredbu za prikaz dodijeljene IP adrese. IP adresa će biti navedena odmah nakon ineti prije netmask. (Primjer: inet 192.0.2.1mrežna maska)

ifconfig eth0

Upišite sljedeću naredbu za pokretanje SSH poslužitelja.

/usr/sbin/sshd

Ako koristite scpnaredbu iz naredbenog retka na klijentskom stroju, upotrijebite sljedeću naredbu u nastavku kao predložak za dohvaćanje /tmp/luks-header-backup.imgdatoteke. Zamijenite 25782stvarnim brojem porta dodijeljenim u /etc/ssh/sshd_config. Zamijenite 192.0.2.1stvarnom dodijeljenom IP adresom.

scp -P 25782 root@192.0.2.1:/tmp/luks-header-backup.img .

Nakon preuzimanja luks-header-backup.imgdatoteke, odmah ugasite SSH poslužitelj upisivanjem naredbe ispod u prozor konzole noVNC.

killall sshd

---

Otvorite LUKS particiju kako biste postavili LVM fizički volumen koji će se nalaziti unutra.

cryptsetup luksOpen /dev/vda3 centos

Unesite šifru kreiranu ranije da otvorite LUKS particiju kada se to od vas zatraži, a zatim pritisnite Entertipku.

Unesite šifru za /dev/vda3:strong-password

Upišite sljedeću naredbu u nastavku:

ls /dev/mapper

Ona će sadržavati sljedeće datoteke pod nazivom centos, control, live-basei live-rw. To centosje LUKS particija.

Upišite sljedeću naredbu u nastavku da biste stvorili LVM fizički volumen.

pvcreate /dev/mapper/centos

Kada bude uspješan, dobit ćete sljedeću poruku:

Physical volume "/dev/mapper/centos" successfully created

Upišite sljedeću naredbu u nastavku da biste stvorili LVM grupu volumena.

vgcreate ssd /dev/mapper/centos

Kada bude uspješan, dobit ćete sljedeću poruku:

Volume group "ssd" successfully created

Upišite sljedeću naredbu u nastavku da biste stvorili LVM logički volumen za swap particiju. Upotrijebite razumnu procjenu kako biste stvorili swap particiju, potrebne veličine (-L = veličina volumena), na temelju vaše VPS instance.

lvcreate -L 1G -n swap ssd

Kada bude uspješan, dobit ćete sljedeću poruku:

Logical volume "swap" created

Type the following command below to create a LVM logical volume for the root partition. This will use the remaining free space while reserving five percent (5%) to contain LVM snapshots of your logical volumes if you so choose.

lvcreate -l 95%FREE -n root ssd

When successful, you will receive the following message:

Logical volume "root" created

Display the LVM physical volume.

pvdisplay

You will see text in the noVNC console similar to what is pictured in the image below.

Display the LVM volume group.

vgdisplay

You will see text in the noVNC console similar to what is pictured in the image below.

Display the LVM logical volume(s).

lvdisplay

You will see text in the noVNC console similar to what is pictured in the image below.

Type the following command below to deactivate the LVM volume group. This must be completed in order to allow cryptsetup to close the LUKS partition in the next step.

vgchange -a n

When successful, you will receive the following message:

0 logical volume(s) in volume group "ssd" now active

Close the LUKS volume.

cryptsetup luksClose centos

Type the following command below:

ls /dev/mapper

It will contain the following files named control, live-base and live-rw. The centos file, containing the LUKS partition, will be missing to ensure that that it was closed properly.

Type reboot and press the Enter key to reboot.

Step 4: Start The CentOS 7 GUI Mode Installer

Select the Install CentOS Linux 7 option and press the Enter key.

The VPS will now boot into the GUI mode CentOS installer. You will see a screen in the noVNC console like pictured in the image below. Select Install CentOS 7 (1) and press the Enter key.

On the WELCOME TO CENTOS 7 screen, click the blue Continue button (1).

Attention If you're not using the default language of English and the locale of the United States, input your language in the search bar (1). Click on the language (2) and the appropriate locale (3) associated with it. When satisfied, click the blue Continue button (4).

On the INSTALLATION SUMMARY screen, click on INSTALLATION DESTINATION (Automatic partitioning selected) (1) under SYSTEM.

On the INSTALLATION DESTINATION screen, select the I will configure partitioning (1) option under Other Storage Options (Partitioning) and click the blue Done button (2) at the top left of the screen.

On the MANUAL PARTITIONING screen, click on the Unknown expandable accordion (1). It will reveal three partitions named BIOS Boot (vda1), Unknown (vda2) and Encrypted (LUKS) (vda3).

With the BIOS Boot partition highlighted in blue (1), select the checkbox option of Reformat (2) next to the File System: accordion and click the Update Settings button (3).

Click on the Unknown partition (1) so that it is highlighted in blue. Select the checkbox option of Reformat (2) next to the File System: accordion. Select ext2 in the File System: accordion (3), enter /boot in the text field (4) under Mount Point:, enter boot in the text field (5) under Label: and click the Update Settings button (6).

Click on the Encrypted (LUKS) partition (1) so that it is highlighted in blue. Enter the passphrase you created for LUKS partition in Step 3: Setup LVM On LUKS Full Disk Encryption in the Passphrase: text field (2) and click the Unlock button (3).

A new Unknown expandable accordion (1) will appear. It will reveal two partitions named Unknown (ssd-root) and Unknown (ssd-swap).

With the Unknown (ssd-root) partition (1) highlighted in blue, select the checkbox option of Reformat (2) next to the File System: accordion. Select xfs in the File System: accordion (3), enter / in the text field (4) under Mount Point:, enter root in the text field (5) under Label: and click the Update Settings button (6).

Click on the Unknown (ssd-swap) (1) partition so that it is highlighted in blue. Select the checkbox option of Reformat (2) next to the File System: accordion. Select swap in the File System: accordion (3), enter swap in the text field (4) under Label: and click the Update Settings button (5).

Click the blue Done button (1) at the top left of the screen.

A box named SUMMARY OF CHANGES will pop up. Click the Accept Changes button (1). This will bring you back to the WELCOME TO CENTOS 7 screen.

Click on NETWORK & HOST NAME (Not connected) (1) under SYSTEM.

On the NETWORK & HOST NAME screen, move the slider (1), next to the right of Ethernet(eth0) field, from the OFF position to the ON position. If you want to use a custom hostname instead of the default (192.0.2.1.vultr.com) in the Host name: text box (2), change it. Click the blue Done button (3) at the top left of the screen. This will bring you back to the WELCOME TO CENTOS 7 screen.

When you are satisfied with the options on the WELCOME TO CENTOS 7 screen, click the blue Begin Installation button (1).

On the CONFIGURATION screen, click on ROOT PASSWORD (Root password is not set) (1) under USER SETTINGS.

On the ROOT PASSWORD screen, enter a strong password in both the Root Password: (1) and Confirm: (2) text fields. Click the blue Done button (3) at the top left of the screen. This will bring you back to the CONFIGURATION screen.

On the CONFIGURATION screen, click on USER CREATION (No user will be created) (1) under USER SETTINGS.

On the CREATE USER screen, enter your full name in the Full name text field (1), an username in the User name text field (2), a strong password in both the Password (3) and Confirm password (4) text fields. Click on the Advanced... button (5).

A box named ADVANCED USER CONFIGURATION will pop up. In the Add user to the following groups: text field (1) under Group Membership, enter wheel and click the Save Changes button (2).

Click the blue Done button (1) at the top left of the screen.

The post-installation process will now commence. It will take a few minutes to complete. When it is finished, click on the blue Reboot button (1) to reboot your VPS instance.

Navigate back to the VULTR Server Management Screen. Click on the Settings link at the top. Click on Custom ISO on the menu on the left side. On the Custom ISO page, click on the Remove ISO button to unmount the ISO and reboot into your CentOS 7 VPS instance. Click the OK button when prompted and the VPS instance will reboot.

Navigate back to the View Console window to access the VPS instance via the noVNC console. Refresh the window if noVNC has disconnected.

You will be prompted to enter the passphrase (Example: Please enter passphrase for disk primary (luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)!:) you created for LUKS partition in Step 3: Setup LVM On LUKS Full Disk Encryption. Enter the passphrase and press the Enter key.

You will then be presented with the console login prompt. You can now close the noVNC console window.

Step 5: Update The System

Log in via SSH with a regular user and update the system as follows.

sudo yum install epel-release -y
sudo yum clean all && sudo yum update -y

Step 6: Install Dracut-Crypt-SSH

While still logged in as a regular user, type the following commands below to install dracut-crypt-ssh.

sudo yum install wget -y
sudo wget -O /etc/yum.repos.d/rbu-dracut-crypt-ssh-epel-7.repo https://copr.fedorainfracloud.org/coprs/rbu/dracut-crypt-ssh/repo/epel-7/rbu-dracut-crypt-ssh-epel-7.repo
sudo yum install dracut-crypt-ssh -y

Type the following command below to install the nano editor to ease editing of files.

sudo yum install nano -y

You will need to edit the default grub file located in /etc/default/grub.

sudo nano /etc/default/grub

Insert rd.neednet=1 ip=dhcp between GRUB_CMDLINE_LINUX="crashkernel=auto and rd.luks.uuid=luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

Save the file by entering the following keyboard combinations. Press the Ctrl + x keys, press the y key and press the Enter key.

Regenerate you GRUB configuration file by type the command below.

sudo grub2-mkconfig -o /etc/grub2.cfg 

Backup the original /etc/dracut.conf.d/crypt-ssh.conf by typing the following command below.

sudo mv /etc/dracut.conf.d/crypt-ssh.conf /etc/dracut.conf.d/crypt-ssh.conf.orig

Create a new /etc/dracut.conf.d/crypt-ssh.conf file by typing the following command below.

sudo nano /etc/dracut.conf.d/crypt-ssh.conf

Copy and paste the following text below into the nano editor.

dropbear_acl="/etc/dropbear/keys/authorized_keys"
dropbear_ecdsa_key="/etc/dropbear/keys/ssh_ecdsa_key"
dropbear_rsa_key="/etc/dropbear/keys/ssh_rsa_key"

Create the directory keys under /etc/dropbear/, with the necessary directory permissions, that will hold the authorized_keys, ssh_ecdsa_key and ssh_rsa_key files.

sudo mkdir /etc/dropbear/keys/; sudo chmod /etc/dropbear/keys/

Generate the ssh_ecdsa_key and ssh_rsa_key files with the ssh_keygen program by typing the following commands below. Press the Enter key twice, for each command, when prompted for passphrases.

sudo ssh-keygen -t ecdsa -f /etc/dropbear/keys/ssh_ecdsa_key
sudo ssh-keygen -t rsa -f /etc/dropbear/keys/ssh_rsa_key

Change the file permissions on ssh_ecdsa_key, ssh_ecdsa_key.pub, ssh_rsa_key and ssh_rsa_key.pub by typing the command below.

sudo chmod 400 /etc/dropbear/keys/*_key; sudo chmod 444 /etc/dropbear/keys/*.pub

Generate public keys using the How Do I Generate SSH Keys? tutorial, found at the beginning of the tutorial under Prerequisites, for your prospective client operating system.

Copy and paste all the text in the public key into the /etc/dropbear/keys/authorized_keys file using the nano program by typing the command below.

sudo nano /etc/dropbear/keys/authorized_keys

You must first build the initramfs and any subsequent update of the dracut-crypt-ssh configuration. Type the following command below for the initial build of the initramfs.

sudo dracut -f

Once that's complete, your CentOS 7 install is set up to listen for your SSH client to connect and allow you to unlock the LUKS partition using your passphrase. You may now reboot your CentOS 7 instance by typing the command below.

sudo reboot

Na vašim klijentskim sustavima pogledajte odjeljke 3.3. Unlocking the volumes interactivelyi 3.4. Unlocking using theotključajte commandstranicu Dracut-Crypt-SSH GitHub kako biste prisilili upit za lozinku ili upotrijebili unlocknaredbu za otvaranje LUKS particije sa vašeg SSH klijenta.