• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Error decrypting LUKS partition prior to capture/imaging

    Scheduled Pinned Locked Moved Solved FOG Problems
    44 Posts 5 Posters 11.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • george1421G
      george1421 Moderator @humoss233
      last edited by

      @humoss233 Hmm… pass-o-words…

      How about an encrypted password passed as a kernel parameter to FOS Linux bzImage, then in your postinit script decode the password using local seed (same one used to encrypt the password).

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

      H 1 Reply Last reply Reply Quote 0
      • H
        humoss233 @george1421
        last edited by

        @george1421 that’s a good idea - I’ve been researching it, but it looks like openssl is not available in FOS. Is there another way available to decrypt a given cipher?

        george1421G 2 Replies Last reply Reply Quote 0
        • george1421G
          george1421 Moderator @humoss233
          last edited by george1421

          @humoss233 I don’t know off the top of my head of base64 is part of fos linux or not. But that would be one option

          Update: Base64 is part of fos linux, but I don’t think that is the tool to use looking a bit deeper into it.

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

          1 Reply Last reply Reply Quote 0
          • george1421G
            george1421 Moderator @humoss233
            last edited by george1421

            @humoss233 I’m rebuilding the inits with openssl included. This is only half of the issue if the kernel doesn’t have openssl enabled. We’ll see one step at a time.

            Edit: Wait, I just remembered that we built a custom kernel for the LUKS bits, so I can add it if needed since you are already running a custom kernel.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

            Tom ElliottT H 2 Replies Last reply Reply Quote 0
            • Tom ElliottT
              Tom Elliott @george1421
              last edited by

              @george1421 Open SSL is already built into the init’s, that’s how we can do SSH Sessions!

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

              george1421G 1 Reply Last reply Reply Quote 0
              • george1421G
                george1421 Moderator @Tom Elliott
                last edited by

                @Tom-Elliott Interesting the openssl application doesn’t seem to be in my usb boot. I think the ssl libraries have to be there for ssh. Let me search the inits. I may have just totally missed it when I checked.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                1 Reply Last reply Reply Quote 0
                • H
                  humoss233 @george1421
                  last edited by

                  @george1421 thanks for looking into this!

                  By the way, here is a simple initial stab at a postinit script for folks using LUKS with FOG in the future. It tries to decrypt all partitions and then links the decrypted partitions in the cases of successful decryption. It currently uses a plaintext PASSWORD in the script, but hopefully we can switch this out for an encrypted password passed as a kernel parameter.

                  for i in {/dev/sd*,/dev/nvme*,/dev/md*}; do
                      echo -n PASSWORD | cryptsetup luksOpen $i $(basename $i)_crypt  -d -
                      if [ -e /dev/mapper/$(basename $i)_crypt ]; then
                          rm $i
                          ln -s /dev/mapper/$(basename $i)_crypt $i
                      fi
                  done
                  sed -i 's/blockdev --rereadpt/partprobe/g' /usr/share/fog/lib/funcs.sh
                  
                  george1421G 1 Reply Last reply Reply Quote 0
                  • george1421G
                    george1421 Moderator @humoss233
                    last edited by

                    @humoss233 Here are the inits that should have openssl application. For full disclosure I haven’t tested them myself yet, I ran out of time today. I’ll load it onto my usb stick in the morning USA time. But if you want to try to see if it works: https://drive.google.com/open?id=1OnVpqqGnFkVkS19B4OwNxP2FMoyustwT

                    You will just download them as initCrypt.xz and save it in /var/www/html/fog/service/ipxe directory. Then go into the host definition and add into the init field initCrypt.xz. As I said I don’t know if it will boot correctly (it should) but it also should have the openssl executable installed.

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                    H 1 Reply Last reply Reply Quote 1
                    • H
                      humoss233 @george1421
                      last edited by

                      @george1421 getting error message below

                      06a63034-9b10-496b-a7bd-a05670b54cee-image.png

                      george1421G 1 Reply Last reply Reply Quote 0
                      • george1421G
                        george1421 Moderator @humoss233
                        last edited by

                        @humoss233 It almost sounds like you are running an older version of FOG and your ram disk size is not 275000. What version of FOG are you using?

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                        H 1 Reply Last reply Reply Quote 0
                        • H
                          humoss233 @george1421
                          last edited by humoss233

                          @george1421 I run 1.5.5 because that’s the latest available as a docker container (https://github.com/Mudislander/fogproject).

                          I changed KERNEL RAMDISK SIZE to 275000 and it now works - thanks! I successfully decrypted and encrypted a sample file using the following commands.

                          openssl aes-256-cbc -a -salt -pass pass:PASSWORD -in sample.txt -out sample.txt.enc
                          openssl aes-256-cbc -d -a -pass pass:PASSWORD -in sample.txt.enc -out sample.txt.new

                          Is the best way for the postinit script to access kernel parameters to parse /proc/cmdline?

                          george1421G 1 Reply Last reply Reply Quote 0
                          • george1421G
                            george1421 Moderator @humoss233
                            last edited by

                            @humoss233 To access kernel parameters you can surely use the /proc/cmdline but also when the master FOG script starts to run it converts the kernel parameters into bash variables. So if you set a kernel parameter of foobar=XXXYTVBZ when the master FOG script starts it will create a variable called $foobar with the value set to XXXYTVBZ.

                            Version 1.5.5 may be close enough to 1.5.7 (init base I built against) so that there won’t be any problems. You might run into a problem because at 1.5.6 the name of the fog (linux) service account changed from fog to fogproject. You might need to create a linux user on the FOG server called fogproject and set the password to the password found in the hidden file /opt/fog/.fogsettings file. You will know there is an issue upon upload, once all of the files are uploaded you will see a ftp error and then another error about updating the database. But first things first, you need to get the password encrypted and then integrated into your code.

                            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                            H 1 Reply Last reply Reply Quote 0
                            • S
                              Sebastian Roth Moderator
                              last edited by

                              @humoss233 said in Error decrypting LUKS partition prior to capture/imaging:

                              I run 1.5.5 because that’s the latest available as a docker container (https://github.com/Mudislander/fogproject).

                              Do you know the person creating this? Would be interesting to know why 1.5.5 was used and not updated since.

                              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                              Tom ElliottT 1 Reply Last reply Reply Quote 1
                              • Tom ElliottT
                                Tom Elliott @Sebastian Roth
                                last edited by

                                @Sebastian-Roth Too add on, 1.2.0 container to 1.5.7 container should still work too. The version the docker has may have 1.5.5, but I’m 99% sure that you can still upgrade it to 1.5.7.

                                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                1 Reply Last reply Reply Quote 0
                                • H
                                  humoss233 @george1421
                                  last edited by humoss233

                                  @george1421 mostly figured out the script, but having trouble getting it to run. I’m following your guide here (https://forums.fogproject.org/topic/9463/fog-postinit-scripts-before-the-magic-begins/) but getting this error:

                                  5773ac33-3323-420b-895c-c91eb3425478-image.png

                                  /images/dev/fog.postinit:

                                  #!/bin/bash
                                  
                                  . $postinitpath/fog.ACME.selector
                                  

                                  /images/dev/fog.ACME.selector contains the script from your post and exeutes the decryption script if the machine type matches

                                  Here’s the actual decryption script in a separate file:

                                  #!/bin/bash
                                  
                                  # only needed if using intel raid:
                                  mdadm /dev/md126
                                  
                                  pass_dec=`echo $pass_enc | openssl enc -base64 -d -aes-256-cbc -nosalt -pbkdf2 -pass pass:LOCALKEY`
                                  
                                  for i in {/dev/sd*,/dev/nvme*,/dev/md*}; do
                                      echo -n $pass_dec | cryptsetup luksOpen $i $(basename $i)_crypt  -d -
                                      if [ -e /dev/mapper/$(basename $i)_crypt ]; then
                                          rm $i
                                          ln -s /dev/mapper/$(basename $i)_crypt $i
                                      fi
                                  done
                                  
                                  sed -i 's/blockdev --rereadpt/partprobe/g' /usr/share/fog/lib/funcs.sh
                                  

                                  One would generate the encrypted key using echo 'MY_DECRYPTED_PASS' | openssl enc -base64 -e -aes-256-cbc -nosalt -pbkdf2 -pass pass:LOCALKEY and pass this in the “pass_enc” kernel parameter

                                  @Sebastian-Roth don’t know the docker creator but his github is https://github.com/Mudislander/fogproject

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Sebastian Roth Moderator
                                    last edited by

                                    @humoss233 The error in the picture you posted is most likely due to the file being created on Windows using \r\n line endings. Convert the file to Linux file endings \r and it shouldn’t throw that error again.

                                    Plus I see a difference in the paths: /imagesinit/... vs /images/...

                                    Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                    Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                    H 1 Reply Last reply Reply Quote 0
                                    • H
                                      humoss233 @Sebastian Roth
                                      last edited by humoss233

                                      @Sebastian-Roth thanks! changing the line endings fixed the error and the difference in paths doesn’t seem to be an issue

                                      I had to repad the base64 string as trailing ='s can’t be passed in the kernel parameter (they are ignored). Here’s the final result:

                                      #!/bin/bash
                                      
                                      # REF: https://gist.github.com/catwell/3046205
                                      function repad {
                                        _l=$((${#1} % 4))
                                        if [ $_l -eq 2 ]; then _s="$1"'=='
                                        elif [ $_l -eq 3 ]; then _s="$1"'='
                                        else _s="$1" ; fi
                                        echo -n $_s
                                      }
                                      
                                      pass_dec=`echo -n $(repad $pass) | base64 -d | openssl enc -d -aes-128-ecb -K 691CACE3402341778F3DBCFD74859E0C -nosalt`
                                      
                                      for i in {/dev/sd*,/dev/nvme*,/dev/md*}; do
                                          echo -n $pass_dec | cryptsetup luksOpen $i $(basename $i)_crypt  -d - 2> /dev/null
                                          if [ -e /dev/mapper/$(basename $i)_crypt ]; then
                                              rm $i
                                              ln -s /dev/mapper/$(basename $i)_crypt $i
                                              echo Decrypted $i
                                          fi
                                      done
                                      sed -i 's/blockdev --rereadpt/partprobe/g' /usr/share/fog/lib/funcs.sh
                                      

                                      Generate the encrypted pass using echo -n 'MY_LUKS_PASSWORD' | openssl enc -base64 -aes-128-ecb -K 691CACE3402341778F3DBCFD74859E0C -nosalt and pass the result into a pass kernel parameter

                                      Thanks again @george1421 and @Sebastian-Roth for all your help in making this work

                                      george1421G 1 Reply Last reply Reply Quote 1
                                      • george1421G
                                        george1421 Moderator @humoss233
                                        last edited by

                                        @humoss233 First let me say well done!

                                        I have just a few comments, the /r/n issue can be addressed if you want to develop your code on windows, use notepad++ its a much better cross platform text editor. Also if you develop code on windows with an application such as notepad, you can use a linux utility called dos2unix to strip out these extra characters with a single command line utility.

                                        Your coding looks really good. You are doing several fairly advanced techniques. I’m going to post the diffs for both the kernel and the ints so that these changes don’t get lost with time. I may need to rebuild the kernel for another one off issue and your changes will be lost of I don’t get this added into this thread. I’ll do that early next week. That will also give you or someone else the ability to recreate what has been done.

                                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                        H 1 Reply Last reply Reply Quote 1
                                        • H
                                          humoss233 @george1421
                                          last edited by

                                          @george1421 sounds great re: adding - thanks again. I’m pretty new to linux shell scripting though I do a lot of Python work

                                          1 Reply Last reply Reply Quote 0
                                          • george1421G
                                            george1421 Moderator
                                            last edited by

                                            Here are the patch files applied to both the kernel and inits to allow this type of encrypted file system.
                                            crypto.kernel.patch-1.5.7.txt
                                            openssl.init.patch-1.5.7.txt

                                            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 2 / 3
                                            • First post
                                              Last post

                                            138

                                            Online

                                            12.3k

                                            Users

                                            17.4k

                                            Topics

                                            155.8k

                                            Posts
                                            Copyright © 2012-2025 FOG Project