Creating GPG encrypted random keys

In this post I described how to encrypt a root parition. The paritions are encrypted using LUKS passphrase. A passprase is usually much easier to guess or find out than a randomly generated key. And we can take the keys with us on an USB flash disk. But in case our flash disk get stolen the thief has full access to our data. That where GPG comes we will encrypt the keys using a passphrase.

This tutorial continues exactely where this tutorial stopped. So we are in a LiveCD environment a we have our root partition mounted in /mnt/gentoo. For the purpose of this tutorial I will assume that we have an USB stick in /dev/sdh1. So lets mount it:

# mkdir /mnt/usb
# mount /dev/mnt

Chroot script for debugging purposes

A this point we should create something what can get us back to an non-reseting environment. In case something does wrong and we will need to reboot to the LiveCD environment again we will need to re-emerge all the stuff we will need to use again to fix a particular problem. Since we already have our installation instance in /mnt/gentoo we can chroot there and do whatever in the installed environment. So create put following onto /mnt/usb/chrootenv

cryptsetup luksOpen /dev/sda vault
lvm lvchange -a y vg
mount /dev/mapper/vg-root /mnt/gentoo
cryptsetup luksOpen /dev/sdb crypted-home
mount /dev/mapper/crypted-home /mnt/gentoo/home
cp -L /etc/resolv.conf /mnt/gentoo/etc/
mount -t proc none /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
chroot /mnt/gentoo /bin/bash

Make it executable of course. In case we will need to get into the chrooted environment from LiveCD environment again we will just have to do following:

# mkdir /mnt/usb
# mount /dev/sdh1 /mnt/usb
# /mnt/usb/chrootenv

Creating the keys

We will create 2 keys here. One for root and one for home parititon. The existing home partition is already encrypted but just with a passprase. We want gpg keys.

# emerge -av sharutils
# emerge -av "=app-crypt/gnupg-1.4.*"
# mkdir /mnt/usb/keys
# head -c 1K /dev/random | uuencode -m - | head -n 2 | tail -n 1 | gpg --symmetric -a >/mnt/usb/keys/rootkey.gpg
# head -c 1K /dev/random | uuencode -m - | head -n 2 | tail -n 1 | gpg --symmetric -a >/mnt/usb/keys/homekey.gpg

We can add the keys to the corresponding disks/paritions using cryptsetup luksKeyAdd. Keep the old passphrases there for now. They can be removed later using cryptsetup luksRemoveKey, after everything works. There will be problems making gpg work in the early boot stage so being able to access the disk using a simple passphrase is a good idea.

Decrypting volumes using GPG encrypted keys

Just pipe:

# gpg --decrypt <keyfile.gpg> 2> /dev/null | cryptsetyp luksOpen /dev/<device> <mountpoint>

Thats it for this part folks.

I used following sources for this post. So in case you need more detailed information, check them out.

Leave a Reply

Your email address will not be published. Required fields are marked *