Disk encryption in a Linux environment is a common setup and is easily done as demonstrated by this tutorial, for example. However the easy part vanishes quickly if you don’t want to keep the encryption key on the same machine and if you don’t want to enter the key manually on each server reboot.
How do we auto-mount (unattended boot) an encrypted disk but protect the data if the server gets stolen physically? One possible solution is to store the encryption key in a remote network location and fetch it ephemerally (if you are still allowed to) when the server starts. Cloudflare did this for their servers in Russia due to the military conflict.
A custom script to fetch the encryption key, use it and then discard it sounds like a good approach. Such a script is broadly called a “keyscript”. But this is not supported by systemd in the standard “/etc/crypttab” file which describes the encrypted block devices that are set up during system boot. Luckily, there is another way to get this done by using the following feature of “/etc/crypttab”:
If the specified key file path refers to an AF_UNIX stream socket in the file system, the key is acquired by connecting to the socket and reading it from the connection. This allows the implementation of a service to provide key information dynamically, at the moment when it is needed.
With “systemd” you can easily build a service which responds to Unix sockets (or any other socket type as described in the man page). The socket is controlled and supervised by “systemd” and the mechanism is called “socket-based activation”. You have the option to execute a new process for each socket request, or a single program can process all requests. In this case I’m using the first approach because it’s very simple to implement and because the load on this service is negligible.
Here is how the socket service definition looks like. It’s stored in a file named “/etc/systemd/system/fetch-luks-key-volume1.socket”:
[Unit] Description=Socket activator for service "fetch-luks-key-volume1" After=local-fs.target # recommended by "man systemd.socket" CollectMode=inactive-or-failed [Socket] ListenStream=/run/luks-key-volume1.sock SocketUser=root SocketGroup=root SocketMode=0600 RemoveOnStop=true # execute a new Service process for each request Accept=yes [Install] WantedBy=sockets.target
A typical “systemd” service unit needs to be configured with the same name as the socket service. This is where the custom logic to fetch the key is executed. Because “systemd” feeds additional meta data to the service unit, its name must be suffixed with “@”. The whole file name is “/etc/systemd/system/fetch-luks-key-volume1@.service” and contains the following code:
[Unit] Description=Remotely fetch LUKS key for "volume1" After=network-online.target Wants=network-online.target [Service] Type=simple RuntimeMaxSec=10 ExecStart=curl --max-time 5 -sS https://my-restricted.secure/key.location StandardOutput=socket StandardError=journal # ignore the LUKS request packet which specifies the volume (man crypttab) StandardInput=null
The new files are activated in “systemd” in the following way:
systemctl daemon-reload systemctl enable fetch-luks-key-volume1.socket systemctl start fetch-luks-key-volume1.socket
There is no need to enable the “service” unit because it’s activated by the socket when needed and is then immediately terminated upon completion.
Here is a command-line test of the new system:
# ls -la /run/luks-key-volume1.sock srw------- 1 root root 0 Mar 4 18:09 /run/luks-key-volume1.sock # nc -U /run/luks-key-volume1.sock|md5sum 4f7bac5cf51037495e323e338100ad46 - # journalctl -n 100 Mar 04 18:09:38 home-server systemd: Reloading. Mar 04 18:09:45 home-server systemd: Starting Socket activator for service "fetch-luks-key-volume1"... Mar 04 18:09:45 home-server systemd: Listening on Socket activator for service "fetch-luks-key-volume1". Mar 04 18:10:05 home-server systemd: Started Remotely fetch LUKS key for "volume1" (PID 2371/UID 0). Mar 04 18:10:05 home-server systemd: firstname.lastname@example.org: Deactivated successfully.
You can use the newly created Unix socket in “/etc/crypttab” like this:
# <target name> <source device> <key file> <options> backup-decrypted /dev/vg0/backup-encrypted /run/luks-key-volume1.sock luks,headless=true,nofail,keyfile-timeout=10,_netdev
Disclaimer: This “always on” remote key protection works only if you can disable the remote key quickly enough. If someone breaks into your home and steals your NAS server, you probably have more than enough time to disable the remote key which is accessible only by the remote IP address of your home network. But if you are targeted by highly skilled hackers who can physically breach into your server, then they could boot your Linux server into rescue mode (or read the hard disk physically) while they are still on your premises, find the URL where you keep your remote key and then fetch the key to use it later to decrypt what they managed to steal physically. The Mandos system tries to narrow the attack surface by facilitating keep-alive checks and auto-locking of the key server.
If your hardware supports UEFI Secure Boot and TPM 2.0, you can greatly improve the security of your encryption keys and encrypted data. Generally speaking, UEFI Secure Boot will ensure a fully verified boot chain (boot loader, initrd, running kernel). Only a verified system boot state can request the encryption keys from the TPM hardware device. This verified system boot state is something which you control and you can disable the Linux “rescue mode” or other ways of getting to the root file-system without supplying a password. Here are two articles (1, 2) where this is further discussed.
Last but not least, if a highly-skilled attacker has enough time and physical access to your hardware, they can perform many different Evil maid attacks, install hardware backdoors on your keyboard, for example, or even read the encryption keys directly from your running RAM. Additionally, a system could also be compromised via the network, by various social engineering attacks, etc. You need to assess the likelihood of each attack against your data and decide which defense strategy is practical.
Update: This setup failed to boot after a regular OS upgrade. Probably due to incorrect ordering of the services. I didn’t have enough time to debug it and therefore created the file “/root/mount-home-backup” which does the mount manually:
#!/bin/bash set -u echo "Executing mount-home-backup" set -x systemctl start systemd-cryptsetup@backup\\x2ddecrypted.service mount /home/backup
The I marked all definitions in “/etc/crypttab” and “/etc/fstab” with the option “noauto” which tells the system scripts to not try to mount the file systems at boot.
Finally I created the following service in “/etc/systemd/system/mount-home-backup.service”:
[Unit] Description=Late mount for /home/backup After=network-online.target fetch-luks-key-volume1.socket [Service] Type=oneshot RemainAfterExit=yes StandardOutput=journal StandardError=journal ExecStart=/root/mount-home-backup [Install] WantedBy=multi-user.target
This new service needs to be activated, too:
systemctl daemon-reload systemctl enable mount-home-backup.service