LVM Encryption

README.md

LVM Encryption Examples

apply-lvm-encryption.sh

#!/bin/bash

set -euxo pipefail

export FDISK_DEBUG=all

fdisk /dev/sda <<EOF
o
n
p
1

+200M
n
p
2


t
2
8e
w
EOF

pvcreate /dev/sda2
vgcreate lvmvolume /dev/sda2
lvcreate -y -L 5G -n encryptedroot lvmvolume
lvcreate -y -L 512M -n swap lvmvolume
lvcreate -y -L 2G -n encryptedhome lvmvolume
openssl rand -hex 8 > key
cryptsetup -q luksFormat /dev/lvmvolume/encryptedhome key
clevis luks bind -f -k key -d /dev/lvmvolume/encryptedhome tpm2 '{}'
clevis luks unlock -d /dev/lvmvolume/encryptedhome -n c1
mkfs.ext4 /dev/mapper/c1
sleep 1
cryptsetup luksClose c1

revert-lvm-encryption.sh

#!/bin/bash

set -euxo pipefail

lvremove -y /dev/lvmvolume/encryptedhome
lvremove -y /dev/lvmvolume/encryptedroot
lvremove -y /dev/lvmvolume/swap
vgremove /dev/lvmvolume
pvremove /dev/sda2

sleep 1

fdisk /dev/sda <<EOF
d

d
w
EOF

ubuntu-clevis-docker-encryption.sh

#!/bin/bash

apt-get install clevis clevis-dracut clevis-initramfs clevis-luks clevis-systemd clevis-tpm2 clevis-udisks2
lvcreate -y -L 512 -n docker ubuntu-vg
hexdump -n 6 -e '2/4 "%08X"' /dev/random | clevis encrypt tpm2 '{}' > key.jwe
cat key.jwe | clevis decrypt | cryptsetup -q luksFormat /dev/ubuntu-vg/docker -d -
cat key.jwe | clevis decrypt | clevis luks bind -f -k- -d /dev/ubuntu-vg/docker tpm2 '{}'
cat key.jwe | clevis decrypt | cryptsetup luksOpen /dev/ubuntu-vg/docker c1 -d -
mkfs.ext4 /dev/mapper/c1
sleep 1
cryptsetup luksClose c1
mkdir -p /var/lib/docker

# Manual Unlocking
clevis luks unlock -d /dev/ubuntu-vg/docker -n luks-ubuntu-vg-docker
mount /dev/mapper/luks-ubuntu-vg-docker /var/lib/docker/

# Auto Unlocking
# _netdev is required with Clevis 12.
# newer versions of Clevis ask to remove it
# see https://bodhi.fedoraproject.org/updates/FEDORA-2020-d42f4e90f9
echo "luks-ubuntu-vg-docker /dev/ubuntu-vg/docker none _netdev" >> /etc/crypttab
echo "/dev/mapper/luks-ubuntu-vg-docker /var/lib/docker ext4 defaults,_netdev  0 2" >> /etc/fstab
systemctl enable clevis-luks-askpass.path

ubuntu-docker-encryption.sh

#!/bin/bash

set -euxo pipefail

# Create Volume
# lvcreate -y -l 100%FREE -n docker ubuntu-vg

# Create Mountpoint
# mkdir -p /var/lib/docker

# Encrypt Partition
dd if=/dev/urandom of=disk.key bs=1 count=32
cryptsetup luksFormat -q --key-file=disk.key /dev/ubuntu-vg/docker

# Create Filesystem
cryptsetup luksOpen --key-file=disk.key /dev/ubuntu-vg/docker docker
mkfs.ext4 -j /dev/mapper/docker
sleep 1
cryptsetup remove docker

# Create TPM Encryption Key
tpm2_createprimary -Q -C o -c prim.ctx
dd if=/dev/urandom bs=1 count=32 status=none | tpm2_create -Q -g sha256 -u seal.pub -r seal.priv -i- -C prim.ctx
tpm2_load -Q -C prim.ctx -u seal.pub -r seal.priv -n seal.name -c seal.ctx
tpm2_evictcontrol -C o -c seal.ctx 0x81010001

# Add TPM Key to disk
tpm2_unseal -Q -c 0x81010001 | cryptsetup luksChangeKey /dev/ubuntu-vg/docker --key-file disk.key
shred disk.key; rm -f disk.key

# Create Mount binary
cat > /usr/bin/mount-var-lib-docker.sh << EOF
#!/bin/bash
set -euxo pipefail
tpm2_unseal -Q -c 0x81010001 | cryptsetup luksOpen --key-file=- /dev/ubuntu-vg/docker docker
mount /dev/mapper/docker /var/lib/docker
EOF

chmod u+x /usr/bin/mount-var-lib-docker.sh

# Create Mount Service
cat > /etc/systemd/system/mount-var-lib-docker.service << EOF
[Unit]
Description=Mount /var/lib/docker Service
After=network.target
StartLimitIntervalSec=0

[Service]
Type=oneshot
ExecStart=/usr/bin/mount-var-lib-docker.sh

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload


# Modify Docker Service
#mkdir -p /etc/systemd/system/docker.service.d/
#cat > /etc/systemd/system/docker.service.d/override.conf << EOF
#[Unit]
#After=mount-var-lib-docker.service
#EOF

#systemctl daemon-reload