httpd luks mount

¡¡¡All Glory to Gloria! ! !

Task: to mount encrypted sections and run programs in them without preserving the LUKS-keyboard on the server itself.

Submit a team to mount through a browser.

 $ sudo git clone --depth=1 https://github.com/mche/httpd-luks-mount.git foo-folder

See comments in cgi-bin/config.sh

 $ sudo busybox httpd -p 8080 -h /path/to/foo-folder

A more advanced option with Uwsgi see below.

An example of a file device:

 $ dd if=/dev/zero of=luksTest.img bs=1M count=100
$ sudo cryptsetup -s 512 luksFormat luksTest.img
$ sudo cryptsetup luksOpen luksTest.img myTest
$ sudo mkfs.ext4 -m 0  /dev/mapper/myTest
$ sudo cryptsetup luksClose /dev/mapper/myTest

In CGI-BIN/LUKS-KEY.sh is an example of imposing two random lines of parts into a single key. There are wide opportunities for the creativity of the masses in all kinds of algorithms.

Next, the key procedures for the built -in algorithm.

 $ head -c 2048 /dev/urandom | base64 -w 0 > enc1.key

Enter the place of the main part of the key in cgi-bin/config.sh, for example:

export key1URL=https://gist.githubusercontent.com/foo/3894cedc3997e3acd97470c63bf9ba4a/raw/enc1.key

A random string is also generated and it is transmitted with urlles of requests. Generation is not necessarily long

 $ head -c 512 /dev/urandom | base64 -w 0

Copypastic line in the urla queries.

We join two parts to a single composite key

 $ curl  'http://127.0.0.1:8080/cgi-bin/key.sh?<вторая часть ключа>' > enc.key

The key is ready for implementation in LUKS.

 $ sudo cryptsetup luksAddKey luksTest.img enc.key
$ shred enc.key

The resulting key file is successfully implemented and will not be used. Each time, two parts from the line of request and network file will be associated.

From another computer, if the server was turned off/rebooted

 $ curl  'http://хост:8080/cgi-bin/mount.sh?<вторая часть ключа>'

Thus, trusted users know this URL and poke in a browser when necessary.

If the computer with LUKS is forever lost to eliminate the file in the network of the first part of the key and do not make HTTP monitoring.

If you register additional commands in CGI-BIN/Post-mount.sh, then after successful mounting they will be performed.

 $ sudo su
# cd foo-folder/cgi-bin
# mv mount.sh jh4355k0398-mount.sh
# ln -s jh4355k0398-mount.sh mount.php
# mv key.sh jh4355k0398-key.sh
# ln -s jh4355k0398-key.sh key.php

Accordingly, the Urls of HTTP Causes will change:

http://хост:8080/cgi-bin/key.php?<вторая часть ключа> and http://хост:8080/cgi-bin/mount.php?<вторая часть ключа>

ATTENTION! Only two Mount.sh and Key.sh files are executed for http check points. Unfulfilled files will not be found.

You need to cut the plugs cgi

 # wget https://projects.unbit.it/downloads/uwsgi-2.0.18.tar.gz
# tar -xvzf uwsgi-2.0.18.tar.gz 
# cd uwsgi-2.0.18
# python uwsgiconfig.py --build core
# python uwsgiconfig.py --plugin plugins/cgi core

Launch

 ./uwsgi -b 32768 --http-socket 0.0.0.0:8080 --plugins cgi --cgi /path/to/foo-folder/cgi-bin/ --http-socket-modifier1 9

Https

 ./uwsgi -b 32768 --https-socket 0.0.0.0:8443,foobar.crt,foobar.key --plugins cgi --cgi /path/to/foo-folder/cgi-bin/ --https-socket-modifier1 9

Requests without CGI-BIN:

 curl -vv -L 'https://хвост:8443/key...'