LUKS (Linux Unified Key Setup) is one of the various disk encryption formats available for Linux that is platform agnostic. This tutorial will provide you with root and swap partitions inside of a LVM (Linux Volume Manager) volume contained inside of an encrypted LUKS partition. This tutorial also allows for you to unlock the LUKS partition remotely using a simplified SSH server daemon using any compatible SSH client program.
Prerequisites
- A CentOS 7 x64 Minimal ISO Library server instance.
- A sudo user.
- SSH public key(s).
- Dracut-Crypt-SSH.
Step 1: Environment Setup
On the Deploy Servers page, do the following:
- Choose your server location in the
Server Locationsection. - Choose
CentOS7under theISO Librarytab of theServer Typesection. - Choose the hardware specifications you require in the
Server Sizesection. - Click the
Deploy Nowbutton.
Jul 29, 2014 Transfer the secret key to your Windows 10 and put it uder the (logon user home).ssh folder like follows, then it's ready to use Key-Pair login. Matched Content CentOS 7: SSH Server.
Use the View Console option to access the VPS instance via the noVNC console.
Step 2: Start The CentOS 7 Text Mode Installer
Select the Install CentOS Linux 7 option.
Press the Tab key.
Enter text after vmlinuz initrd=initrd.img inst.stage2=hd:LABEL=CentOSx207x2086_64 quiet so that it looks like this vmlinuz initrd=initrd.img inst.stage2=hd:LABEL=CentOSx207x2086_64 quiet text and press the Enter key.
The VPS will now boot into the text mode CentOS installer. You will see a screen in the noVNC console like pictured in the image below.
Step 3: Setup LVM On LUKS Full Disk Encryption
Use the Alt + Right Arrow Key combination to navigate to the TTY2 console to type commands on the command line.
Type the following commands below to create a partition for containing the GRUB2 boot loader, an unencrypted /boot partition and a primary partition that will hold the LUKS partition.
Type the following command to display the partition layout.
Next, fill the named rootfs partition with pseudo-random data. This will take a little over a half an hour to complete.
On CentOS 7, the cryptsetup commands uses the default cipher of aes-xts-plain64, the default key size of 256 bits and the default hash of SHA1. Instead, the LUKS partition will be created with the more secure Serpent cipher, with a key size of 512 bits and with the Whirlpool hash.
Input the answers, when prompted with the following queries, then press the Enter key:
- Are you sure? (Type uppercase yes):
YES - Enter passphrase:
strong-password - Verify passphrase:
strong-password
Optional: Backup The LUKS Partition Header
WarningThis will allow root login and copying without a password prompt. Kill this SSH server after you've retrieved the /tmp/luks-header-backup.img file.
For safekeeping, save a copy of the LUKS partition header. This ensures that if the header of your LUKS partition is somehow damaged, it can be restored. If the header is damaged without a working backup, your data is lost forever.
To copy the /tmp/luks-header-backup.img file from the server, a SSH server must be temporarily started, using the secure copy executable scp on a client host, to retrieve it.
Type the following command below to generate the SSH host keys.
Type the following command below to create the /etc/ssh/sshd_config file.
Type the following command below to edit the /etc/ssh/sshd_config file.
To edit the file, press the Insert key and use the arrow keys to navigate to sections of the file that need editing.
In line one, change the number in Port 22 from the default of 22 to a random number of your choice between 1025 and 65535. (Example: port 25782)
Scroll down to line number thirteen, press the End key and press the Enter key.
On the next line, add HostKey /etc/ssh/ssh_host_ed25519_key and press the Enter key.
On the next line, add HostKey /etc/ssh/ssh_host_rsa_key and press the Enter key.
Press the Esc key, type :wq and press the Enter key to save the file.
The default network interface eth0 needs an IP address. Type the following command below to assign the IP address listed for your instance to the eth0 network interface.
Type the following command to display the assigned IP address. The IP address will be listed immediately after inet and before netmask. (Example: inet 192.0.2.1 netmask)
Type the following command to start the SSH server.
If using the scp command from a command line on a client machine, use the following command below as a template to retrieve the /tmp/luks-header-backup.img file. Replace 25782 with the actual port number assigned in the /etc/ssh/sshd_config. Replace 192.0.2.1 with the actual assigned IP address.
After the retrieval of luks-header-backup.img file, immediately kill the SSH server by typing the command below in the noVNC console window.
Open the LUKS partition in order to set up the LVM physical volume that will reside inside.
Input the passphrase created earlier to open the LUKS partition when prompted, then press the Enter key.
Enter passphrase for /dev/vda3: strong-password
Type the following command below:
It will contain the following files named centos, control, live-base and live-rw. The centos is the LUKS partition.
Type the following command below to create the LVM physical volume.
When successful, you will receive the following message:
Type the following command below to create the LVM volume group.
When successful, you will receive the following message:
Type the following command below to create a LVM logical volume for a swap partition. Use sound judgment to create a swap partition, of the necessary size (-L = size of the volume), based on your VPS instance.
When successful, you will receive the following message:
Type the following command below to create a LVM logical volume for the root partition. This will use the remaining free space while reserving five percent (5%) to contain LVM snapshots of your logical volumes if you so choose.
When successful, you will receive the following message:
Display the LVM physical volume.
You will see text in the noVNC console similar to what is pictured in the image below.
Display the LVM volume group.
You will see text in the noVNC console similar to what is pictured in the image below.
Display the LVM logical volume(s).
You will see text in the noVNC console similar to what is pictured in the image below.
Type the following command below to deactivate the LVM volume group. This must be completed in order to allow cryptsetup to close the LUKS partition in the next step.
When successful, you will receive the following message:
Close the LUKS volume.
Type the following command below:
It will contain the following files named control, live-base and live-rw. The centos file, containing the LUKS partition, will be missing to ensure that that it was closed properly.
Type reboot and press the Enter key to reboot.
Step 4: Start The CentOS 7 GUI Mode Installer
Select the Install CentOS Linux 7 option and press the Enter key.
The VPS will now boot into the GUI mode CentOS installer. You will see a screen in the noVNC console like pictured in the image below. Select Install CentOS 7 (1) and press the Enter key.
On the WELCOME TO CENTOS 7 screen, click the blue Continue button (1).
Attention If you're not using the default language of English and the locale of the United States, input your language in the search bar (1). Click on the language (2) and the appropriate locale (3) associated with it. When satisfied, click the blue Continue button (4).
On the INSTALLATION SUMMARY screen, click on INSTALLATION DESTINATION (Automatic partitioning selected) (1) under SYSTEM.
On the INSTALLATION DESTINATION screen, select the I will configure partitioning (1) option under Other Storage Options (Partitioning) and click the blue Done button (2) at the top left of the screen.
On the MANUAL PARTITIONING screen, click on the Unknown expandable accordion (1). It will reveal three partitions named BIOS Boot (vda1), Unknown (vda2) and Encrypted (LUKS) (vda3).
With the BIOS Boot partition highlighted in blue (1), select the checkbox option of Reformat (2) next to the File System: accordion and click the Update Settings button (3).
Click on the Unknown partition (1) so that it is highlighted in blue. Select the checkbox option of Reformat (2) next to the File System: accordion. Select ext2 in the File System: accordion (3), enter /boot in the text field (4) under Mount Point:, enter boot in the text field (5) under Label: and click the Update Settings button (6).
Click on the Encrypted (LUKS) partition (1) so that it is highlighted in blue. Enter the passphrase you created for LUKS partition in Step 3: Setup LVM On LUKS Full Disk Encryption in the Passphrase: text field (2) and click the Unlock button (3).
A new Unknown expandable accordion (1) will appear. It will reveal two partitions named Unknown (ssd-root) and Unknown (ssd-swap).
With the Unknown (ssd-root) partition (1) highlighted in blue, select the checkbox option of Reformat (2) next to the File System: accordion. Select xfs in the File System: accordion (3), enter / in the text field (4) under Mount Point:, enter root in the text field (5) under Label: and click the Update Settings button (6).
Click on the Unknown (ssd-swap) (1) partition so that it is highlighted in blue. Select the checkbox option of Reformat (2) next to the File System: accordion. Select swap in the File System: accordion (3), enter swap in the text field (4) under Label: and click the Update Settings button (5).
Click the blue Done button (1) at the top left of the screen.
A box named SUMMARY OF CHANGES will pop up. Click the Accept Changes button (1). This will bring you back to the WELCOME TO CENTOS 7 screen.
Click on NETWORK & HOST NAME (Not connected) (1) under SYSTEM.
On the NETWORK & HOST NAME screen, move the slider (1), next to the right of Ethernet(eth0) field, from the OFF position to the ON position. If you want to use a custom hostname instead of the default (192.0.2.1.vultr.com) in the Host name: text box (2), change it. Click the blue Done button (3) at the top left of the screen. This will bring you back to the WELCOME TO CENTOS 7 screen.
When you are satisfied with the options on the WELCOME TO CENTOS 7 screen, click the blue Begin Installation button (1).
On the CONFIGURATION screen, click on ROOT PASSWORD (Root password is not set) (1) under USER SETTINGS.
On the ROOT PASSWORD screen, enter a strong password in both the Root Password: (1) and Confirm: (2) text fields. Click the blue Done button (3) at the top left of the screen. This will bring you back to the CONFIGURATION screen.
On the CONFIGURATION screen, click on USER CREATION (No user will be created) (1) under USER SETTINGS.
On the CREATE USER screen, enter your full name in the Full name text field (1), an username in the User name text field (2), a strong password in both the Password (3) and Confirm password (4) text fields. Click on the Advanced... button (5).
A box named ADVANCED USER CONFIGURATION will pop up. In the Add user to the following groups: text field (1) under Group Membership, enter wheel and click the Save Changes button (2).
Click the blue Done button (1) at the top left of the screen.
The post-installation process will now commence. It will take a few minutes to complete. When it is finished, click on the blue Reboot button (1) to reboot your VPS instance.
Navigate back to the VULTR Server Management Screen. Click on the Settings link at the top. Click on Custom ISO on the menu on the left side. On the Custom ISO page, click on the Remove ISO button to unmount the ISO and reboot into your CentOS 7 VPS instance. Click the OK button when prompted and the VPS instance will reboot.
Navigate back to the View Console window to access the VPS instance via the noVNC console. Refresh the window if noVNC has disconnected.
You will be prompted to enter the passphrase (Example: Please enter passphrase for disk primary (luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)!:) you created for LUKS partition in Step 3: Setup LVM On LUKS Full Disk Encryption. Enter the passphrase and press the Enter key.
You will then be presented with the console login prompt. You can now close the noVNC console window.
Step 5: Update The System
Log in via SSH with a regular user and update the system as follows.
Step 6: Install Dracut-Crypt-SSH
While still logged in as a regular user, type the following commands below to install dracut-crypt-ssh.
Rhel 7 Generate Ssh Keys
Type the following command below to install the nano editor to ease editing of files.
You will need to edit the default grub file located in /etc/default/grub.
Insert rd.neednet=1 ip=dhcp between GRUB_CMDLINE_LINUX='crashkernel=auto and rd.luks.uuid=luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
Save the file by entering the following keyboard combinations. Press the Ctrl + x keys, press the y key and press the Enter key.
Regenerate you GRUB configuration file by type the command below.
Backup the original /etc/dracut.conf.d/crypt-ssh.conf by typing the following command below.
Rhel 7 Create Ssh Key
Create a new /etc/dracut.conf.d/crypt-ssh.conf file by typing the following command below.
Copy and paste the following text below into the nano editor.
Create the directory keys under /etc/dropbear/, with the necessary directory permissions, that will hold the authorized_keys, ssh_ecdsa_key and ssh_rsa_key files.
Generate the ssh_ecdsa_key and ssh_rsa_key files with the ssh_keygen program by typing the following commands below. Press the Enter key twice, for each command, when prompted for passphrases.
Change the file permissions on ssh_ecdsa_key, ssh_ecdsa_key.pub, ssh_rsa_key and ssh_rsa_key.pub by typing the command below.
Generate public keys using the How Do I Generate SSH Keys? tutorial, found at the beginning of the tutorial under Prerequisites, for your prospective client operating system.
Copy and paste all the text in the public key into the /etc/dropbear/keys/authorized_keys file using the nano program by typing the command below.
You must first build the initramfs and any subsequent update of the dracut-crypt-ssh configuration. Type the following command below for the initial build of the initramfs.
Once that's complete, your CentOS 7 install is set up to listen for your SSH client to connect and allow you to unlock the LUKS partition using your passphrase. You may now reboot your CentOS 7 instance by typing the command below.
On your client systems, refer to sections 3.3. Unlocking the volumes interactively and 3.4. Unlocking using theunlockcommand of the Dracut-Crypt-SSH GitHub page to either force a passphrase prompt or use the unlock command to open your LUKS partition from your SSH client.
Introduction – SSH is an acronym for secure shell. It is a suite of cryptographic network protocol. It allows users to log in and transfer files securely over the unsecure network such as the Internet. OpenSSH is an implementation of SSH protocol on RHEL 8. You can log in using RHEL 8 user and password account. However, OpenSSH project recommends log in using a combination of a private and public SSH keys.
Sample set up for our RHEL 8 server
Where,
- You generate a key pair on your Linux/Unix/macOS desktop.
- Place the public key on RHEL 8 server.
- One can unlock public key using a private key stored on your desktop with the help of ssh command.
- When both the public and private key correct you can log in without a password.
How do I set up SSH keys on RHEL 8 server?
The procedure to set up SSH key on Red Hat Enteprise Linux 8 server:
- On your local desktop type:
ssh-keygen - Install public key into remote RHEL 8 server using:
ssh-copy-id user@remote-RHEL8-server-ip - Use ssh for password less login:
ssh user@remote-RHEL8-server-ip
How To Ssh Into Centos
Let us see all commands and steps in details.
How to create the ed25519 or RSA key pair
The syntax is:ssh-keygen -t ed25519
ssh-keygen -t rsa
ssh-keygen -t rsa -b 4096 -f ~/.ssh/aws-lighsail.key -C 'My AWS SSH Keys'
ssh-keygen -t ed25519 -f ~/.ssh/linode-usa-www1-vps.key -C 'My Linode SSH Keys for www'
Where,
- -t rsa OR -t ed25519 : Specifies the type of key to create. The possible values “dsa”, “ecdsa”, “ed25519”, or “rsa” for SSH protocol version 2.
- -b 4096 : Specifies the number of bits in the key to create.
- -f~/.ssh/aws-lighsail.key : Specifies the filename of the key file.
- -C -C 'My AWS SSH Keys' : Set a new comment.
I am going type the following command on my Ubuntu desktop to create the key pair:$ ssh-keygen -t ed25519
I strongly recommend that you set up a passphrase when prompted.
Centos 7 Generate Ssh Keys Putty
How to copy the public key
Now our key paid generated and stored in ~/.ssh/ directory. You must copy a public SSH key file named ~/.ssh/id_ed25519.pub (or ~/.ssh/id_rsa.pub if you created RSA key) to the RHEL 8 server. Try the ssh-copy-id command as follows:$ ssh-copy-id -i ~/.ssh/fileNameHere.pubuser@remote-RHEL8-server-ip
For example:$ ssh-copy-id -i ~/.ssh/id_ed25519.pub vivek@192.168.2.211
How to log in using ssh and without a password
Now try logging into the machine, with the ssh command as follows:$ ssh user@rhel-8-server
$ ssh vivek@192.168.2.211
You should be able to log in without a password. If you set up a passphrase, unlock it as follows for your current session so that you don’t have to enter it every time you run ssh, sftp, scp, rsync and other commands:$ ssh-agent $SHELL
$ ssh-add
Optional settings for root user
Disable root user log in all together on RHEL 8 via ssh. Log in as root user on RHEL 8 and run following to add a user named vivek to wheel group:# usermod -aG wheel vivek
# id vivek
Allows users in group wheel can use sudo command to run all commands on RHEL 8 server. Next disable root user login by adding the following line to sshd_config:# vi /etc/ssh/sshd_config
Disable the password for root login and only allow ssh keys based login:
Centos 7 Generate Ssh Keys In Windows
Save and close the file. Reload the ssh server:# systemctl reload sshd.service
For more info see “Top 20 OpenSSH Server Best Security Practices“.
Conclusion
You learned how to set up and use SSH keys to manage your RHEL 8 based server. For more info see OpenSSH man pages here.
ADVERTISEMENTS