Linux: LUKS and multiple hard drives

encryptionlinuxluksraidSecurity

I have a Debian Linux system (amd64) installed on a RAID-1 system encrypted device (LVM on LUKS) and will have a RAID-6 of >=4 disks where I'll put my data (LUKS and maybe LVM).

I think the basic idea is to unlock the system encrypted partition (at boot at local or via ssh) and to store a keyfile in /etc/crypttab for the RAID-6 encrypted partition. Does that pose a security risk ? I mean … it's pretty useless if anybody can just enter my system locally / remotely and I think there are plenty of services running on servers that are vulnerable to "rooting" (e.g. SSH).
Is there an alternative (beside unlocking the partition via SSH which may be a problem since e.g. backup operations start even before the data partition is mounted).

On another machine I'll use multiple disks with LUKS+greyhole (no RAID-6) for Backups and it'll be a real pain to unlock 10 disks by enterning 10 times the same password …

Best Answer

You can use /lib/cryptsetup/scripts/decrypt_derived in your crypttab to automatically use the key from one disk for another.

The decrypt_derived script is part of Debian's cryptsetup package.

Small example to add the key from sda6crypt to sda5:

/lib/cryptsetup/scripts/decrypt_derived sda6crypt > /path/to/mykeyfile
cryptsetup luksAddKey /dev/sda5 /path/to/mykeyfile
ls -la /dev/disk/by-uuid/ | grep sda5
echo "sda5crypt UUID=<uuid> sda6crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived" >> /etc/crypttab
shred -u /path/to/mykeyfile # remove the keyfile

As it is nowadays very difficult to really delete a file, ensure that /path/to/mykeyfile is on a encrypted drive (sda6crypt would be in my example a good solution).

In general, you can add an additional security layer by using user space filesystem encryption e.g. via encfs.

Best Answer

Related Solutions

LUKS Encryption – Storing Keyfile in Encrypted USB Drive

Related Question