Question: disk encryption options

[celeryty]

I sent an email about this, but haven't heard back. Do you have info on how to modify the disk encryption options, or have the LUKS password automatically entered? I'd like to run the server headless, never needing to having a monitor/keyboard plugged in, even on reboot.

[boughtonj]

Just my thought but If you're going to have the password automatically entered, I would think you're defeating the purpose of having LUKS enabled in the first place.

V/r

James F. Boughton
Information Systems Security Officer, Code 7.2.6
NAWCTSD Orlando - Information Assurance Officer - H-60/MQ-8B/DTNG
12350 Research Parkway Orlando, Florida 32826-3275
COMM: 407-380-8263
DSN: 960-8263

Classification: UNCLASSIFIED
Caveats: None

-----Original Message-----
From: celeryty [mailto:[email protected]]
Sent: Tuesday, August 11, 2015 7:40 AM
To: fcaviggia/hardening-script-el6
Subject: [hardening-script-el6] Question: disk encryption options (#55)

I sent an email about this, but haven't heard back. Do you have info on how to modify the disk encryption options, or have the LUKS password automatically entered? I'd like to run the server headless, never needing to having a monitor/keyboard plugged in, even on reboot.

—
Reply to this email directly or view it on GitHub #55 . https://github.com/notifications/beacon/AH-ds2dOHaQJsn1GhmnzVJADIbsLD29Xks5omdaGgaJpZM4FpZ-0.gif

[celeryty]

Agreed, but I didn't see any option to enable/disable LUKS during the OS install. It seemed to be required.

[fcaviggia]

LUKS is encouraged, as I have that integrated as an option on the kickstart scripts that I do:

https://github.com/RedHatGov/ssg-el6-kickstart
https://github.com/RedHatGov/ssg-el7-kickstart
https://github.com/fcaviggia/hardening-script-el6-kickstart

Although, LUKS is good, it's still not foolproof, here's an interesting blog post for decrypting the disk using the unencrypted /boot partition:

https://twopointfouristan.wordpress.com/

The fix - encrypting the /boot partition:

http://dustymabe.com/2015/07/06/encrypting-more-boot-joins-the-party/

or using full disk encryption on the drives themselves...

[celeryty]

Thanks for the info, but we really need a way to get around typing in the
LUKS password during the boot. Do you have specific instructions on getting
around this, maybe having the password automatically entered or disabling
the encryption?

Also, we're using vnc to access them remotely, but for some reason the vnc
session stops working properly after a relatively short period, between 15
minutes and a couple hours. The mouse and keyboard are unresponsive, and
the only visible ui elements are the desktop background and the
classification banner. Everything else, including the top toolbar and
terminal windows are no longer visible. Any idea what could be causing this
and how to prevent it?
On Aug 12, 2015 7:20 PM, "Frank Caviggia" [email protected] wrote:

LUKS is encouraged, as I have that integrated as an option on the
kickstart scripts that I do:

https://github.com/RedHatGov/ssg-el6-kickstart
https://github.com/RedHatGov/ssg-el7-kickstart
https://github.com/fcaviggia/hardening-script-el6-kickstart

Although, LUKS is good, it's still not foolproof, here's an interesting
blog post for decrypting the disk using the unencrypted /boot partition:

https://twopointfouristan.wordpress.com/

The fix - encrypting the /boot partition:

http://dustymabe.com/2015/07/06/encrypting-more-boot-joins-the-party/

or using full disk encryption on the drives themselves...

—
Reply to this email directly or view it on GitHub
#55 (comment)
.

[fcaviggia]

https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile

As for the VNC issues - you might check the settings here:

https://github.com/fcaviggia/hardening-script-el6/blob/master/misc/gnome.sh (Change lines 109-121):

    # NIST 800-53 CCE-3315-9 (row 95): Screensaver in 15 Minutes; Forced Logout in 30 Minutes
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type string \
          --set /desktop/gnome/session/max_idle_action "none"
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type int \
          --set /desktop/gnome/session/max_idle_time 0
    gconftool-2 --direct \
          --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
          --type int \
          --set /apps/gnome-screensaver/idle_delay 15

[celeryty]

Great, thanks!
On Aug 13, 2015 7:07 PM, "Frank Caviggia" [email protected] wrote:

https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile

As for the VNC issues - you might check the settings here:

https://github.com/fcaviggia/hardening-script-el6/blob/master/misc/gnome.sh
(Change lines 109-121):

# NIST 800-53 CCE-3315-9 (row 95): Screensaver in 15 Minutes; Forced Logout in 30 Minutes
gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type string \
      --set /desktop/gnome/session/max_idle_action "none"
gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type int \
      --set /desktop/gnome/session/max_idle_time 0
gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type int \
      --set /apps/gnome-screensaver/idle_delay 15

—
Reply to this email directly or view it on GitHub
#55 (comment)
.