Encrypted Loopback Partition on Sarai

Notes on the setting up of an encrypted loopback device on sarai.indymedia.org for storing certs and keys. This was discussed on listwork in October 2006: 1 | 2 | 3

Encrypted Loopback Partition on Sarai
- Decrypting and mounting
- Setup Notes

Decrypting and mounting

After the machine has booted, postfix and apache will not work until the encrypted disk has been mounted.

To mount it do this:

$ ssh sarai.indymedia.org
$ sudo /root/bin/mnt-crypt

The mnt-crypt script contains the following:

#!/bin/bash

echo "This script mounts the encrypted partition at /etc/crypt"
echo "If you mistype the password then do this before running this again:"
echo "/sbin/cryptsetup remove crypt"

# create the loop device
/sbin/losetup /dev/loop0 /crypt

# decrypt the loopback device
/sbin/cryptsetup create crypt /dev/loop0

# mount the partition
/bin/mount /dev/mapper/crypt /etc/crypt

# start apache
/etc/init.d/apache start

# start postfix
/etc/init.d/postfix start

Setup Notes

Notes on what was done to create the encrypted device and the cert.

Creating the encrypted device

The riseup loopback instructions were followed.

# cd /
# dd if=/dev/urandom of=/crypt bs=1M count=10
10+0 records in
10+0 records out
10485760 bytes transferred in 2.582209 seconds (4060771 bytes/sec)
# losetup /dev/loop0 /crypt 
# cryptsetup -y create crypt /dev/loop0 
  Enter passphrase: 
  Verify passphrase: 
# dmsetup ls 
  vg01-home       (254, 0)
  vg01-backup     (254, 4)
  vg01-mailman    (254, 3)
  vg01-usr        (254, 2)
  vg01-var        (254, 1)
  crypt   (254, 5)
# mkfs.ext3 /dev/mapper/crypt 
  mke2fs 1.37 (21-Mar-2005)
  Filesystem label=
  OS type: Linux
  Block size=1024 (log=0)
  Fragment size=1024 (log=0)
  2560 inodes, 10240 blocks
  512 blocks (5.00%) reserved for the super user
  First data block=1
  2 block groups
  8192 blocks per group, 8192 fragments per group
  1280 inodes per group
  Superblock backups stored on blocks: 
          8193
  
  Writing inode tables: done                            
  Creating journal (1024 blocks): done
  Writing superblocks and filesystem accounting information: done
  
  This filesystem will be automatically checked every 30 mounts or
  180 days, whichever comes first.  Use tune2fs -c or -i to override.
# mkdir /etc/crypt
# mount /dev/mapper/crypt /etc/crypt
# df -h | grep crypt
  /dev/mapper/crypt     9.7M  1.1M  8.2M  12% /etc/crypt

Generating the key and cert

See: CaCertSsl

# cd /etc/crypt
# /root/bin/csr.sh
  Private Key and Certificate Signing Request Generator
  This script was designed to suit the request format needed by
  the CAcert Certificate Authority. www.CAcert.org
  
  Short Hostname (ie. imap big_srv www2): sarai
  FQDN/CommonName (ie. www.example.com) : sarai.indymedia.org
  Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
  SubjectAltName: DNS:sarai.indymedia.org
  SubjectAltName: DNS:sarai3.indymedia.org
  SubjectAltName: DNS:lists.indymedia.org
  SubjectAltName: DNS:archives.lists.indymedia.org
  SubjectAltName: DNS:
  Running OpenSSL...
  Generating a 512 bit RSA private key
  writing new private key to 'sarai_privatekey.pem'
  Generating a 2048 bit RSA private key
  writing new private key to 'sarai_privatekey.pem'
  -----
  Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
  When you receive your certificate, you 'should' name it something like sarai_server.pem

The csr was pasted into the interface at http://cacert.org/ and a cert was generated using the Class 1 certificate and it was saved as sarai_server.pem

Postfix configuration

See CaCertSsl#Sarai_TLS_configuration

The following thigs were changed in /etc/postfix/main.cf

tls_certs = /etc/crypt

smtp_tls_key_file = $tls_certs/sarai_privatekey.pem
smtp_tls_cert_file = $tls_certs/sarai_server.pem
smtp_tls_CAfile = $tls_certs/cacert.crt
smtp_tls_CApath = $tls_certs/cacert.crt

smtpd_tls_cert_file = $tls_certs/sarai_server.pem
smtpd_tls_key_file = $tls_certs/sarai_privatekey.pem
smtpd_tls_CAfile = $tls_certs/cacert.crt

Then postfix was reloaded:

/etc/init.d/postfix reload

And changed not to run on boot:

# update-rc.d -f postfix remove
 update-rc.d: /etc/init.d/postfix exists during rc.d purge (continuing)
 Removing any system startup links for /etc/init.d/postfix ...
   /etc/rc0.d/K20postfix
   /etc/rc1.d/K20postfix
   /etc/rc2.d/S20postfix
   /etc/rc3.d/S20postfix
   /etc/rc4.d/S20postfix
   /etc/rc5.d/S20postfix
   /etc/rc6.d/K20postfix

And the old cert wes destroyed:

# cd /etc/postfix/tls/
# shred -uv -n 100 sarai.crt
# shred -uv -n 100 sarai.key

Apache configuration

See: CaCertSsl#HTTP_multiple_domain_names

The apache configuration file, /etc/apache/vhosts/lists.indymedia.org was edited:

SSLCertificateFile /etc/crypt/sarai_server.pem
SSLCertificateKeyFile /etc/crypt/sarai_privatekey.pem

And apache was stopped and started and then set not to run on boot:

# /etc/init.d/apache stop
# /etc/init.d/apache start
# update-rc.d -f apache remove
 update-rc.d: /etc/init.d/apache exists during rc.d purge (continuing)
 Removing any system startup links for /etc/init.d/apache ...
   /etc/rc0.d/K91apache
   /etc/rc1.d/K91apache
   /etc/rc2.d/S91apache
   /etc/rc3.d/S91apache
   /etc/rc4.d/S91apache
   /etc/rc5.d/S91apache
   /etc/rc6.d/K91apache

And the old certs were destroyed:

# shred -uv -n 100 /etc/apache/ssl.crt/cacert-server.crt 
# shred -uv -n 100 /etc/apache/ssl.key/cacert-private.key

to top

End of topic
Skip to action links | Back to top

You are here: Sysadmin > ListworkWorkingGroup > SaraiCryptedDisk

to top