Calculate Access: working with encrypted volumes

Calculate Access is a toolkit for working with encrypted disks with remote key and partition headers storage support. What it more, the mounting script is also stored on a remote server. For one who has no access to the key server, there is no information about how the disk partitions are used.

Creating an encrypted partition

Create the / root / cryptdata directory and prepare the header files for the encrypted partition and the encryption key:

mkdir /root/cryptdata

dd if=/dev/zero of=/root/cryptdata/header bs=2M count=1
1+0 records received
1+0 records sent
2097152 bytes (2.1 MB, 2.0 MiB) copied, 0.00229696 s, 913 MB/s
dd if=/dev/urandom of=/root/cryptdata/key count=1 bs=2048
1+0 records received
1+0 records sent
2048 bytes (2.0 kB, 2.0 KiB) copied, 0.00050282 s, 4.1 MB/s

Add encryption:

cryptsetup luksFormat --header /root/cryptdata/header /dev/sda5 /root/cryptdata/key
WARNING!
========
This will overwrite data on /root/cryptdata/header irrevocably.

Are you sure? (Type uppercase yes): YES

Replace /dev/sda5 with the partition to be encrypted. Confirm by typing YES in capitals.

Mount the encrypted partition:

cryptsetup --header /root/cryptdata/header -d /root/cryptdata/key luksOpen /dev/sda5 sda5_crypt

Replace sda5_crypt and /dev/sda5 with your partitions.

Format the partition:

mkfs.ext4 /dev/mapper/sda5_crypt

Key server setup

For the initial configuration of the key server, install the sys-apps / calculate-access package with USE flag server on.

echo sys-apps/calculate-access server [HTML_REMOVED][HTML_REMOVED] /etc/portage/package.use/custom

emerge calculate-access

Now initialize the service:

cl-access-setup
Access configured successful in /var/calculate/access!

Mounting the encrypted partition with the key server

Install sys-apps/calculate-access on the system hosting the encrypted partition.

emerge calculate-access

Generate an ssh key to connect to the key server:

ssh-keygen -f /var/lib/calculate/access_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /var/lib/calculate/access_key.
Your public key has been saved in /var/lib/calculate/access_key.pub.
The key fingerprint is:
SHA256:XFT3YqCScoAFeLmnzpfDO5BWSKiRQAKOcDkSHFBitT0 root@calculate
The key's randomart image is:
+---[RSA 2048]----+
|#B==.=o   ..o .  |
|X+= B  . o . o . |
|.= = E. + o   o .|
|.   o ++ o   . . |
|     =  S        |
|    =            |
|   + o .         |
|    o *          |
|     ..+         |
+----[SHA256]-----+

Important

Do not set the password on the private key to avoid turning off automatic connection.

Edit connection settings for the key storage server:

/etc/conf.d/access

# List of access hosts, separated by a space
# You can define your host in several ways:
#   'example.org'       - access@example.org port 22
#   'example.org:200'   - access@example.org port 200
#   'user@1.2.3.4:333'  - user@1.2.3.4 port 333
ACCESSHOST="access.example.org"

# Path to the private SSL-key file for connection to the access host
# The key must be accessible without a password
KEYFILE=/var/lib/calculate/access_key

# Connection timeout (in seconds)
CONNECT_TIMEOUT=20

# Maximum number of retries before disallowing access, -1 - infinity
RETRY=5

Replace access.example.org with you SSH server name. If you specify multiple key servers, Access will call them in turn, in order of indication.

Add the public key for the server:

/etc/init.d/access add_hostkey
access | Permanently added 'access.verevo.calculate.ru,10.3.0.4' (ECDSA) to the list of known hosts.


Move the partition header key (/root/cryptdata/header), the encryption key (/root/cryptdata/key) and the public key (/var/lib/calculate/access_key.pub) to the key server:

scp /root/cryptdata/{header,key} /var/lib/calculate/access_key.pub root@access.example.org:/root
Password: 
header                              100% 2048KB  60.1MB/s   2.0MB/s   00:00    
key                                 100% 2048     3.3MB/s   2.0MB/s   00:00    
access_key                          100% 1675     2.4MB/s   2.0MB/s   00:00 

Replace access.example.org with you SSH server name.

Add the encrypted partition data to the key server:

cl-access-add --id client1 --ssh-key /root/access_key.pub --header /root/header --key /root/key --device da958374-f891-4280-8c15-6e20b6cdd8f7 --mount /var/calculate
* All OK!


Replace client1 with the encrypted partition server. To view the PARTUUID of the volume, run the following on the client system:

blkid -s PARTUUID /dev/sda5
/dev/sda5: PARTUUID="da958374-f891-4280-8c15-6e20b6cdd8f7"

Check on the client that the server returns the required data:

/etc/init.d/access check
access            | * Host: access.example.org ...                           [ ok ]


Mount the encrypted partition:

/etc/init.d/access start
access            | * Caching service dependencies ...
access            | * Starting access ...
access            | * Host: access.example.org ...                           [ ok ]


Add the mounting of the encrypted partition to autostart:

rc-update add access

Make sure to have a copy of the / root / cryptdata directory on the flash drive, then delete the directory with the keys:

rm -r /root/cryptdata