Calculate Access: working with encrypted volumes

Calculate Access is a toolkit for working with encrypted disks with remote key and partition headers storage support. What it more, the mounting script is also stored on a remote server. For one who has no access to the key server, there is no information about how the disk partitions are used.

Creating an encrypted partition

Create the / root / cryptdata directory and prepare the header files for the encrypted partition and the encryption key:

mkdir /root/cryptdata

dd if=/dev/zero of=/root/cryptdata/header bs=2M count=1
1+0 records received
1+0 records sent
2097152 bytes (2.1 MB, 2.0 MiB) copied, 0.00229696 s, 913 MB/s
dd if=/dev/urandom of=/root/cryptdata/key count=1 bs=2048
1+0 records received
1+0 records sent
2048 bytes (2.0 kB, 2.0 KiB) copied, 0.00050282 s, 4.1 MB/s

Add encryption:

cryptsetup luksFormat --header /root/cryptdata/header /dev/sda5 /root/cryptdata/key
This will overwrite data on /root/cryptdata/header irrevocably.

Are you sure? (Type uppercase yes): YES

Replace /dev/sda5 with the partition to be encrypted. Confirm by typing YES in capitals.

Mount the encrypted partition:

cryptsetup --header /root/cryptdata/header -d /root/cryptdata/key luksOpen /dev/sda5 sda5_crypt

Replace sda5_crypt and /dev/sda5 with your partitions.

Format the partition:

mkfs.ext4 /dev/mapper/sda5_crypt

Key server setup

For the initial configuration of the key server, install the sys-apps / calculate-access package with USE flag server on.

echo sys-apps/calculate-access server [HTML_REMOVED][HTML_REMOVED] /etc/portage/package.use/custom

emerge calculate-access

Now initialize the service:

Access configured successful in /var/calculate/access!

Mounting the encrypted partition with the key server

Install sys-apps/calculate-access on the system hosting the encrypted partition.

emerge calculate-access

Generate an ssh key to connect to the key server:

ssh-keygen -f /var/lib/calculate/access_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /var/lib/calculate/access_key.
Your public key has been saved in /var/lib/calculate/
The key fingerprint is:
SHA256:XFT3YqCScoAFeLmnzpfDO5BWSKiRQAKOcDkSHFBitT0 root@calculate
The key's randomart image is:
+---[RSA 2048]----+
|#B==.=o   ..o .  |
|X+= B  . o . o . |
|.= = E. + o   o .|
|.   o ++ o   . . |
|     =  S        |
|    =            |
|   + o .         |
|    o *          |
|     ..+         |


Do not set the password on the private key to avoid turning off automatic connection.

Edit connection settings for the key storage server:


# List of access hosts, separated by a space
# You can define your host in several ways:
#   ''       - port 22
#   ''   - port 200
#   'user@'  - user@ port 333

# Path to the private SSL-key file for connection to the access host
# The key must be accessible without a password

# Connection timeout (in seconds)

# Maximum number of retries before disallowing access, -1 - infinity

Replace with you SSH server name. If you specify multiple key servers, Access will call them in turn, in order of indication.

Add the public key for the server:

/etc/init.d/access add_hostkey
access | Permanently added ',' (ECDSA) to the list of known hosts.

Move the partition header key (/root/cryptdata/header), the encryption key (/root/cryptdata/key) and the public key (/var/lib/calculate/ to the key server:

scp /root/cryptdata/{header,key} /var/lib/calculate/
header                              100% 2048KB  60.1MB/s   2.0MB/s   00:00    
key                                 100% 2048     3.3MB/s   2.0MB/s   00:00    
access_key                          100% 1675     2.4MB/s   2.0MB/s   00:00 

Replace with you SSH server name.

Add the encrypted partition data to the key server:

cl-access-add --id client1 --ssh-key /root/ --header /root/header --key /root/key --device da958374-f891-4280-8c15-6e20b6cdd8f7 --mount /var/calculate
* All OK!

Replace client1 with the encrypted partition server. To view the PARTUUID of the volume, run the following on the client system:

blkid -s PARTUUID /dev/sda5
/dev/sda5: PARTUUID="da958374-f891-4280-8c15-6e20b6cdd8f7"

Check on the client that the server returns the required data:

/etc/init.d/access check
access            | * Host: ...                           [ ok ]

Mount the encrypted partition:

/etc/init.d/access start
access            | * Caching service dependencies ...
access            | * Starting access ...
access            | * Host: ...                           [ ok ]

Add the mounting of the encrypted partition to autostart:

rc-update add access

Make sure to have a copy of the / root / cryptdata directory on the flash drive, then delete the directory with the keys:

rm -r /root/cryptdata