RE: Error decrypting LUKS partition prior to capture/imaging

@Sebastian-Roth clever hack! there was one more hurdle: blockdev --rereadpt in the runPartprobe function fails due to ioctl error on BLKRRPART: Device or resource busy because cryptsetup luksOpen appears to be locking the device. Luckily partprobe works fine, so I just replaced that part of the script. Here’s my final commands (the last line just shows that the line has been replaced successfully). After running fog, the decrypted partition/disk is successfully captured (with /dev/md126 as “Host Primary Disk”). 1 GB instead of 800 GB!

@Sebastian-Roth thanks! changing the line endings fixed the error and the difference in paths doesn’t seem to be an issue

I had to repad the base64 string as trailing ='s can’t be passed in the kernel parameter (they are ignored). Here’s the final result:

#!/bin/bash

# REF: https://gist.github.com/catwell/3046205
function repad {
  _l=$((${#1} % 4))
  if [ $_l -eq 2 ]; then _s="$1"'=='
  elif [ $_l -eq 3 ]; then _s="$1"'='
  else _s="$1" ; fi
  echo -n $_s
}

pass_dec=`echo -n $(repad $pass) | base64 -d | openssl enc -d -aes-128-ecb -K 691CACE3402341778F3DBCFD74859E0C -nosalt`

for i in {/dev/sd*,/dev/nvme*,/dev/md*}; do
    echo -n $pass_dec | cryptsetup luksOpen $i $(basename $i)_crypt  -d - 2> /dev/null
    if [ -e /dev/mapper/$(basename $i)_crypt ]; then
        rm $i
        ln -s /dev/mapper/$(basename $i)_crypt $i
        echo Decrypted $i
    fi
done
sed -i 's/blockdev --rereadpt/partprobe/g' /usr/share/fog/lib/funcs.sh

Generate the encrypted pass using echo -n 'MY_LUKS_PASSWORD' | openssl enc -base64 -aes-128-ecb -K 691CACE3402341778F3DBCFD74859E0C -nosalt and pass the result into a pass kernel parameter

Thanks again @george1421 and @Sebastian-Roth for all your help in making this work

Doh - I actually didn’t realize the “Multiple Partition Image - Single Disk” could do a single partition! I just tried a capture using this and it seems to work fine - haven’t had a chance for a deploy yet. I guess since I foresee only rarely changing partition sizes, this option would work fine.

My settings below. I’m trying to only capture my /root partition that is 20 GB but FOG goes through “shrinking” each partition which takes forever because it is a 1 TB drive.

@george1421 sounds great re: adding - thanks again. I’m pretty new to linux shell scripting though I do a lot of Python work

@Sebastian-Roth thanks! changing the line endings fixed the error and the difference in paths doesn’t seem to be an issue

I had to repad the base64 string as trailing ='s can’t be passed in the kernel parameter (they are ignored). Here’s the final result:

#!/bin/bash

# REF: https://gist.github.com/catwell/3046205
function repad {
  _l=$((${#1} % 4))
  if [ $_l -eq 2 ]; then _s="$1"'=='
  elif [ $_l -eq 3 ]; then _s="$1"'='
  else _s="$1" ; fi
  echo -n $_s
}

pass_dec=`echo -n $(repad $pass) | base64 -d | openssl enc -d -aes-128-ecb -K 691CACE3402341778F3DBCFD74859E0C -nosalt`

for i in {/dev/sd*,/dev/nvme*,/dev/md*}; do
    echo -n $pass_dec | cryptsetup luksOpen $i $(basename $i)_crypt  -d - 2> /dev/null
    if [ -e /dev/mapper/$(basename $i)_crypt ]; then
        rm $i
        ln -s /dev/mapper/$(basename $i)_crypt $i
        echo Decrypted $i
    fi
done
sed -i 's/blockdev --rereadpt/partprobe/g' /usr/share/fog/lib/funcs.sh

Generate the encrypted pass using echo -n 'MY_LUKS_PASSWORD' | openssl enc -base64 -aes-128-ecb -K 691CACE3402341778F3DBCFD74859E0C -nosalt and pass the result into a pass kernel parameter

Thanks again @george1421 and @Sebastian-Roth for all your help in making this work

@george1421 mostly figured out the script, but having trouble getting it to run. I’m following your guide here (https://forums.fogproject.org/topic/9463/fog-postinit-scripts-before-the-magic-begins/) but getting this error:

/images/dev/fog.postinit:

#!/bin/bash

. $postinitpath/fog.ACME.selector

/images/dev/fog.ACME.selector contains the script from your post and exeutes the decryption script if the machine type matches

Here’s the actual decryption script in a separate file:

#!/bin/bash

# only needed if using intel raid:
mdadm /dev/md126

pass_dec=`echo $pass_enc | openssl enc -base64 -d -aes-256-cbc -nosalt -pbkdf2 -pass pass:LOCALKEY`

for i in {/dev/sd*,/dev/nvme*,/dev/md*}; do
    echo -n $pass_dec | cryptsetup luksOpen $i $(basename $i)_crypt  -d -
    if [ -e /dev/mapper/$(basename $i)_crypt ]; then
        rm $i
        ln -s /dev/mapper/$(basename $i)_crypt $i
    fi
done

sed -i 's/blockdev --rereadpt/partprobe/g' /usr/share/fog/lib/funcs.sh

One would generate the encrypted key using echo 'MY_DECRYPTED_PASS' | openssl enc -base64 -e -aes-256-cbc -nosalt -pbkdf2 -pass pass:LOCALKEY and pass this in the “pass_enc” kernel parameter

@Sebastian-Roth don’t know the docker creator but his github is https://github.com/Mudislander/fogproject

@george1421 I run 1.5.5 because that’s the latest available as a docker container (https://github.com/Mudislander/fogproject).

I changed KERNEL RAMDISK SIZE to 275000 and it now works - thanks! I successfully decrypted and encrypted a sample file using the following commands.

openssl aes-256-cbc -a -salt -pass pass:PASSWORD -in sample.txt -out sample.txt.enc
openssl aes-256-cbc -d -a -pass pass:PASSWORD -in sample.txt.enc -out sample.txt.new

Is the best way for the postinit script to access kernel parameters to parse /proc/cmdline?

@george1421 getting error message below

@george1421 thanks for looking into this!

By the way, here is a simple initial stab at a postinit script for folks using LUKS with FOG in the future. It tries to decrypt all partitions and then links the decrypted partitions in the cases of successful decryption. It currently uses a plaintext PASSWORD in the script, but hopefully we can switch this out for an encrypted password passed as a kernel parameter.

for i in {/dev/sd*,/dev/nvme*,/dev/md*}; do
    echo -n PASSWORD | cryptsetup luksOpen $i $(basename $i)_crypt  -d -
    if [ -e /dev/mapper/$(basename $i)_crypt ]; then
        rm $i
        ln -s /dev/mapper/$(basename $i)_crypt $i
    fi
done
sed -i 's/blockdev --rereadpt/partprobe/g' /usr/share/fog/lib/funcs.sh

@george1421 that’s a good idea - I’ve been researching it, but it looks like openssl is not available in FOS. Is there another way available to decrypt a given cipher?

@george1421 thanks for pointing me to the conf file! Changing the default option to the 2nd choice did the trick and now it boots straight to OS. I guess it got hung on the 1st choice.

Here is the line I changed from:
default_selection 1
to:
default_selection grubx64
in /var/www/html/fog/service/ipxe/refind.conf