Calculate Access: working with encrypted volumes
Updated 30 May 2022
Calculate Access is a toolkit for working with encrypted disks with remote key and partition headers storage support. What it more, the mounting script is also stored on a remote server. For one who has no access to the key server, there is no information about how the disk partitions are used.
Creating an encrypted partition
Create the /root/cryptdata directory and prepare the header files for the encrypted partition and the encryption key:
mkdir /root/cryptdata
cd /root/cryptdata
1+0 records received 1+0 records sent 2097152 bytes (2.1 MB, 2.0 MiB) copied, 0.00229696 s, 913 MB/s
1+0 records received 1+0 records sent 2048 bytes (2.0 kB, 2.0 KiB) copied, 0.00050282 s, 4.1 MB/s
Add encryption:
WARNING!
========
This will overwrite data on /root/cryptdata/header irrevocably.
Are you sure? (Type uppercase yes): YES
Replace /dev/sda5 with the partition to be encrypted. Confirm by typing YES in capitals.
Mount the encrypted partition:
cryptsetup --header header -d key luksOpen /dev/sda5 sda5_crypt
Replace sda5_crypt and /dev/sda5 with your partitions.
Format the partition:
mkfs.btrfs /dev/mapper/sda5_crypt
Key server setup
For the initial configuration of the key server, install the sys-apps / calculate-access package with USE flag server on.
echo sys-apps/calculate-access server [HTML_REMOVED][HTML_REMOVED] /etc/portage/package.use/custom
emerge -a calculate-access
Now initialize the service:
Access configured successful in /var/calculate/access!
Mounting the encrypted partition with the key server
Install sys-apps/calculate-access on the system hosting the encrypted partition.
emerge -a calculate-access
Generate an ssh key to connect to the key server:
Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /var/lib/calculate/access_key. Your public key has been saved in /var/lib/calculate/access_key.pub. The key fingerprint is: SHA256:XFT3YqCScoAFeLmnzpfDO5BWSKiRQAKOcDkSHFBitT0 root@calculate The key's randomart image is: +---[RSA 2048]----+ |#B==.=o ..o . | |X+= B . o . o . | |.= = E. + o o .| |. o ++ o . . | | = S | | = | | + o . | | o * | | ..+ | +----[SHA256]-----+
Important
Do not set a password for the private key, otherwise you will not be able to automatically connect to the service.
Edit connection settings for the key storage server:
/etc/conf.d/access
ACCESSHOST="access.example.org"
Replace access.example.org with you SSH server name. If you specify multiple key servers, Access will call them in turn, in order of indication.
Add the public key for the server:
access | Permanently added 'access.verevo.calculate.ru,10.3.0.4' (ECDSA) to the list of known hosts.
Move the partition header key (/root/cryptdata/header), the encryption key (/root/cryptdata/key) and the public key (/var/lib/calculate/access_key.pub) to the key server:
Password: header 100% 2048KB 60.1MB/s 2.0MB/s 00:00 key 100% 2048 3.3MB/s 2.0MB/s 00:00 access_key 100% 1675 2.4MB/s 2.0MB/s 00:00
Replace access.example.org with you SSH server name.
Add the encrypted partition data to the key server:
* All OK!
Replace client1 with the encrypted partition server. To view the PARTUUID of the volume, run the following on the client system:
/dev/sda5: PARTUUID="da958374-f891-4280-8c15-6e20b6cdd8f7"
Check on the client that the server returns the required data:
access | * Host: access.example.org ... [ ok ]
Mount the encrypted partition:
access | * Caching service dependencies ... access | * Starting access ... access | * Host: access.example.org ... [ ok ]
Add the mounting of the encrypted partition to autostart:
rc-update add access
Make sure to have a copy of the /root/cryptdata directory on the flash drive, then delete the directory with the keys:
rm -r /root/cryptdata