Password vault with LUKS

Some organizations/companies got problem with keeping their passwords to sensitive systems safe.
I mean passowrds for privileged users (root, admin, etc.). Even small companies got big IT infrastructures with 10+ devices/systems which got administrative passwords (like servers, switches, databases, etc.). You use those accounts like ones half year, so it's hard to remember all those passwords (and users) combinations.
Some people uses the same password everywhere (which is not safe). Some got similar passwords connected with system/device name or purpose (which is not safe too).
Some even wrote down passwords on those devices/servers :o. Some keep paswords in network service (like www) protected with base64 password access (which could be sniffed easly).

The most commnon practice in security (recommended by specialists) is to keep those user/password pairs each in separate envelope written down and locked up in safe (safe deposit box).
Some companies even got log books for every envelope, where persons who look inside should log their entries (date, full name and purpose of the action).
This is good practice, but it's expensive and time consuming. Not every company got safe (they shoud have fireproof one, especially when they keep their precious backups in their own
buildings), and buying one only for keeping passwords is not an option in most cases.

Why not create digital vault to protect those sensitive data. I guess this is good idea and this could be done in 2 hours max.
You have to setup LUKS encrypted volume and put your data there.
Why LUKS? It uses AES256 (still considered unbreakable - unless you work for NSA) or you could use any kernel supported encryption method, uses TKS1 scheme and allow to add multiple keys for one encrypted volume.
So every person which needs access to sensitive date could have his/her own key. Looks like multiple for LUKS means max. 8 keys. This should be enough even for larger IT departments :).
You need package which is called cryptsetup in majority of linux distibutions (LUKS works with MS Windows too).
To provide mobility for password vault I choose to put it into a file. You could also use logical volumen or partition even.

First write some random data to our future vault file:

dd if=/dev/urandom of=./vault bs=1024 count=10240

This helps to protect from some crypto attacks (but I think there is small chance to break into big LUKS volumes with chosen plaintext attack and knowledge of used filesystem stucture).
Command above creates ~10MB file filled with random data. 10MB should be enough, LUKS takes more than 1MB for header information, so files smaller than 4MB shouldn't be used cause filesystem takes some space too.
For bigger files or filling whole disks with random data I prefer using frandom. It's more than 10 times faster (is able to utilize single sata drive speed) and some people consider it "more random".

Then create loop device from your file:

sudo losetup /dev/loop0 ./vault

Then format created device /dev/loop with cryptsetup LUKS extension:

sudo cryptsetup -h sha512 -c aes-cbc-essiv:sha256 -s 256 -y luksFormat /dev/loop0

Those options means (you should also check man cryptsetup):
-h hash type - I choose sha512 (but any kernel supported method could be choosen),
-c cipher type - this time aes cbc with essiv (but you also could use any kernel supported cipher),
-s key size - 256 bits here
-y - verify passphase (very usefull option).
and "uppercase yes" during format step means "YES" :))

Now you can add any number of additional keys:

sudo cryptsetup luksAddKey /dev/loop0

You can check info about your volume with:

sudo cryptsetup luksDump /dev/loop0

After adding keys you can add your LUKS volume to OS:

sudo cryptsetup luksOpen /dev/loop0 vault

And you should see something like that:

brw-rw---- 1 root disk 252, 6 2011-07-10 13:47 vault
after
ls -la /dev/mapper/

Then make filesystem on newly created LUKS device:

sudo mkfs.ext4 /dev/mapper/vault

Mount it:

sudo mount /dev/mapper/vault /mnt/vault/

Now you can put your files with sensitive data (passwords in this case), into /mnt/vault. But you shouldn't keep it mounted while you do not need those data, so unmount it, close LUKS volume and destroy loop device with:

sudo umount /dev/mapper/vault
sudo cryptsetup luksClose vault
sudo losetup -d /dev/loop0

To make things a bit more automatic you can use example scritps.
to open vault sudo this:

#!/bin/bash

while [ ! -e /dev/mapper/vault ]; do
cryptsetup luksOpen /dev/loop0 vault
done

mount /dev/mapper/vault /mnt/vault

To close vault sudo this:

#!/bin/bash
umount /dev/mapper/vault
cryptsetup luksClose vault
losetup -d /dev/loop0

Of course I wouldn't recommend to use vault for keeping some very important passwords (like those for your personal bank account, security PINs), cause those are passwords which you should know by hard and never written down.
But for those which should be kept safe and are hard to remember (cause there are lot of them) LUKS vault is cheap and secure alternative for strongbox. Condidering ASE as 100% safe cipher (99.9999%) you could copy your vault file to USB pendrive and you could keep it in your drawer, cause even it's stolen, data is perfectly safe. For sure you should keep backup copy of vault file in case of storage fail.
And when one of your administrators changes job you only remove his/her key from vault and you are still safe (of course it won't protect you from copying sensitive date earlier, but I guess you should trust your workers when they are in your team, so remove their key before you tell them they are fired :)).
When setting up LUKS on real devices (lvm, partition) you skip losetup step. You are also able to setup LUKS volumes with keys written on usbkeys (this is nice example how to do that), but I consider this is less secure then passphases for vault.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Main menu

Article | by Dr. Radut