early-ssh - Unlock LUKS encrypted crypto devices, assemble/manage mdadm RAID arrays over SSH at boottime

The project is now hosted on github.com see gheja/early-ssh.

Example initialization script with mdadm and LUKS encrypted partitions

Here you can see my real life example what I use on one of my servers. The setup was roughly the following steps:

First of all, I have installed Debian with mdadm RAID-1 arrays, and over the arrays I have created LUKS encrypted partitions.
I have installed and configured early-ssh.
Then I have created a key file for each partitions, added them to the second keyslot (later I have dropped the first (passpharse) keyslot to have the keyfile only).
I have copied the keys to a pendrive and an external backup HDD (both are LUKS encrypted of course :).

I have created the following script to initialize my things needed for the boot:

#!/bin/sh

# load the RAID-1 module for mdadm
modprobe raid1

# create the md special devices
for i in 0 1 2 3; do mknod /dev/md${i} b 9 ${i}; done

# scan for all mdadm arrays (can be good if you forget to update your initramfs)
mdadm --examine --scan > /tmp/mdadm.conf

# assemble the RAID-1 arrays
mdadm --assemble --scan --config /tmp/mdadm.conf

# load the dm-crypt module for LUKS
modprobe dm-crypt

# do the LUKS openings (md0 is the /boot, so it is not encrypted!)
for i in 1 2 3; do cryptsetup --key-file /tmp/zaphod-md${i}.key luksOpen /dev/md${i} md${i}_crypt; done

After this all I need is SCP-ing the keys and the script to the server at boottime, run the script, and be happy.

This is the whole process in somewhat more practical point of view:

mobilem00:/mnt/pendrive# scp zaphod-init/* root@xxx.xxx.xxx.xxx:/tmp
root@xxx.xxx.xxx.xxx's password:
zaphod-init.sh                                 100%  338     0.3KB/s   00:00
zaphod-md1.key                                 100%  256     0.3KB/s   00:00
zaphod-md2.key                                 100%  256     0.3KB/s   00:00
zaphod-md3.key                                 100%  256     0.3KB/s   00:00

mobilem00:/mnt/pendrive# ssh root@xxx.xxx.xxx.xxx
root@xxx.xxx.xxx.xxx's password:

Welcome to early-ssh!

After you have finished everything, run the following to continue booting:
  finished


Please send your comments and bugreports to <xxx@xxx.xx>


BusyBox v1.1.3 (Debian 1:1.1.3-4) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # chmod 700 /tmp/zaphod-init.sh

~ # /tmp/zaphod-init.sh
mdadm: /dev/md0 has been started with 2 drives.
mdadm: /dev/md1 has been started with 2 drives.
mdadm: /dev/md2 has been started with 2 drives.
mdadm: /dev/md3 has been started with 2 drives.
key slot 0 unlocked.
Command successful.
key slot 0 unlocked.
Command successful.
key slot 0 unlocked.
Command successful.

~ # finished
Your session will be now terminated and the boot will be continued. Bye!

Connection to xxx.xxx.xxx.xxx closed by remote host.
Connection to xxx.xxx.xxx.xxx closed.

And that's all, I have a completely encrypted server (except the /boot of course), what can be unlocked by keyfiles remotely.

Back to the main page.

Contact

If you have any questions, suggestions, bugreports, comments, please feel free to contact me.

By the way this captcha was generated with Captchaz.