Calculate Access: working with encrypted volumes
Updated 13 March 2019
Calculate Access is a toolkit for working with encrypted disks with remote key and partition headers storage support. What it more, the mounting script is also stored on a remote server. For one who has no access to the key server, there is no information about how the disk partitions are used.
Creating an encrypted partition
Create the directory and prepare the header files for the encrypted partition and the encryption key:
1+0 records received 1+0 records sent 2097152 bytes (2.1 MB, 2.0 MiB) copied, 0.00229696 s, 913 MB/s
1+0 records received 1+0 records sent 2048 bytes (2.0 kB, 2.0 KiB) copied, 0.00050282 s, 4.1 MB/s
WARNING! ======== This will overwrite data on /root/cryptdata/header irrevocably. Are you sure? (Type uppercase yes): YES
/dev/sda5 with the partition to be encrypted. Confirm by typing YES in capitals.
Mount the encrypted partition:
cryptsetup --header /root/cryptdata/header -d /root/cryptdata/key luksOpen /dev/sda5 sda5_crypt
sda5_crypt and /dev/sda5 with your partitions.
Format the partition:
Key server setup
For the initial configuration of the key server, install the package with USE flag on.
echo sys-apps/calculate-access server [HTML_REMOVED][HTML_REMOVED] /etc/portage/package.use/custom
Now initialize the service:
Access configured successful in /var/calculate/access!
Mounting the encrypted partition with the key server
Install on the system hosting the encrypted partition.
Generate an ssh key to connect to the key server:
Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /var/lib/calculate/access_key. Your public key has been saved in /var/lib/calculate/access_key.pub. The key fingerprint is: SHA256:XFT3YqCScoAFeLmnzpfDO5BWSKiRQAKOcDkSHFBitT0 root@calculate The key's randomart image is: +---[RSA 2048]----+ |#B==.=o ..o . | |X+= B . o . o . | |.= = E. + o o .| |. o ++ o . . | | = S | | = | | + o . | | o * | | ..+ | +----[SHA256]-----+
Do not set a password for the private key, otherwise you will not be able to automatically connect to the service.
Edit connection settings for the key storage server:
# List of access hosts, separated by a space # You can define your host in several ways: # 'example.org' - firstname.lastname@example.org port 22 # 'example.org:200' - email@example.com port 200 # 'firstname.lastname@example.org:333' - email@example.com port 333 ACCESSHOST="access.example.org" # Path to the private SSL-key file for connection to the access host # The key must be accessible without a password KEYFILE=/var/lib/calculate/access_key # Connection timeout (in seconds) CONNECT_TIMEOUT=20 # Maximum number of retries before disallowing access, -1 - infinity RETRY=5
access.example.org with you SSH server name. If you specify multiple key servers, Access will call them in turn, in order of indication.
Add the public key for the server:
access | Permanently added 'access.verevo.calculate.ru,10.3.0.4' (ECDSA) to the list of known hosts.
Move the partition header key (
/root/cryptdata/header), the encryption key ( /root/cryptdata/key) and the public key ( /var/lib/calculate/access_key.pub) to the key server:
Password: header 100% 2048KB 60.1MB/s 2.0MB/s 00:00 key 100% 2048 3.3MB/s 2.0MB/s 00:00 access_key 100% 1675 2.4MB/s 2.0MB/s 00:00
access.example.org with you SSH server name.
Add the encrypted partition data to the key server:
* All OK!
client1 with the encrypted partition server. To view the PARTUUID of the volume, run the following on the client system:
Check on the client that the server returns the required data:
access | * Host: access.example.org ... [ ok ]
Mount the encrypted partition:
access | * Caching service dependencies ... access | * Starting access ... access | * Host: access.example.org ... [ ok ]
Add the mounting of the encrypted partition to autostart:
rc-update add access
Make sure to have a copy of the directory on the flash drive, then delete the directory with the keys:
rm -r /root/cryptdata