Archive for October, 2009

USB encryption with Luks

Here is an easy way of encrypting USB thumb drives with Luks. Examples below assume your thumb drive is/dev/sdb

First, check the device for bad blocks:

~]# badblocks -c 10240 -s -w -t random -v /dev/sdb

Next create the partition on the drive itself.

~]# fdisk /dev/sdb

Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x99faf680.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): p

Disk /dev/sdb: 4066 MB, 4066377728 bytes
126 heads, 62 sectors/track, 1016 cylinders
Units = cylinders of 7812 * 512 = 3999744 bytes
Disk identifier: 0x99faf680

Device Boot Start End Blocks Id System

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1016, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-1016, default 1016):
Using default value 1016

Command (m for help): p

Disk /dev/sdb: 4066 MB, 4066377728 bytes

126 heads, 62 sectors/track, 1016 cylinders
Units = cylinders of 7812 * 512 = 3999744 bytes
Disk identifier: 0x99faf680

Device Boot Start End Blocks Id System
/dev/sdb1 1 1016 3968465 83 Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Now create the password and encrypt the device. This will encrypt the device with AES256.

~]# cryptsetup luksFormat -v -y -s 256 -c aes /dev/sdb1
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

To open the encrypted drive type:

cryptsetup luksOpen /dev/sdb1 usbdrive

It will then prompt for the password.

***WARNING*** Do not lose your password, there is no way to recover it!

Now format the drive. This example shows how to format the drive with ext4 however ext3 will also work if you are running an older distro.

~] # mkfs.ext4 /dev/mapper/usbdrive
mke2fs 1.41.4 (27-Jan-2009)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
248000 inodes, 991859 blocks
49592 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1019215872

31 block groups
32768 blocks per group, 32768 fragments per group
8000 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

Mount the drive:

~]# mount /dev/mapper/usbdrive /media/thumbdrive/

Now your drive is encrypted ;-)

Gnome should automatically ask the next time you insert your usb drive for the password. However if you are using the cli, here are the steps to mount/unmount the drive.

Mount the device

~]# cryptsetup luksOpen /dev/sdb1 usbdrive
~]# mount /dev/mapper/usbdrive /media/usbdrive

Unmount the device

~]# umount /media/usbdrive
~]# cryptsetup luksClose usbdrive

GPG Keys

GnuPG is used to encrypt and sign email messages and files. First you need to create the GPG key:

Generating Keys
———————————————————–
$ gpg --gen-key
———————————————————–

Select option 5 for RSA and then type the encryption level.
———————————————————–
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 5
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
———————————————————–

Now enter your personal information
———————————————————–
Real name: Jason Brown
Email address: jasonbrown@example.com
Comment: Example
You selected this USER-ID:
"Jason Brown (Example) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
............................+++++
...........+++++
gpg: key 7C11053D marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 4 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 4u
pub 4096R/7C11053D 2009-10-12
Key fingerprint = EE6B C53F A665 593C 3607 FEE1 F984 2AF9 7C11 053D
uid Jason Brown (Example)
———————————————————–

As stated in the option menu, this key is only generated to sign email or files and cannot be used to encrypt. You now have to edit the key that was just generated to use it for encryption.
———————————————————–
$ gpg --edit-key jasonbrown@exmaple.com

pub 4096R/7C11053D created: 2009-10-12 expires: never usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Jason Brown (Example)

Command> addkey
You need a passphrase to unlock the secret key for
user: "Jason Brown (Example) "
4096-bit RSA key, ID 7C11053D, created 2009-10-12
———————————————————–

Enter in your passphrase and then select option 6 for ‘RSA (encrypt only)’. It will then ask for a key size and key expiration, use the same settings as in the first section. Once complete you will have a new key for encryption.
———————————————————–
pub 4096R/7C11053D created: 2009-10-12 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/55D59203 created: 2009-10-12 expires: never usage: E
[ultimate] (1). Jason Brown (Example)
———————————————————–

Now type save to exit:
———————————————————–
Command> save
———————————————————–

Your new key is now ready to be uploaded to the key repository servers.
———————————————————–
$ gpg --keyserver pgp.mit.edu --send-key jasonbrown@example.com
———————————————————–

GPG Key Backup
Once your keys have been generated, you will need to export both the public and private keys and store them for safe keeping. To export your public key:
———————————————————-
$ gpg --export -a jasonbrown@example.com > example-pub.key
———————————————————-

And the private key:
———————————————————-
$ gpg --export-secret-key -a jasonbrown@example.com > example-priv.key
———————————————————-

You can then create a tar backup of these two keys and encrypt them with a passphrase.
———————————————————-
$ tar -cvf gpgkeys.tar example-priv.key example-pub.key
$ gpg -c --cipher-algo aes256 gpgkeys.tar
———————————————————-

Then enter in a strong password. This will allow you to retrieve your keys if you do not have your public/private key pair installed on a machine. Once this is done you will need to securely delete your keys leaving just the tarball. This is important as someone can compromise your keys.
———————————————————-
$ for i in gpgkeys.tar example-priv.key example-pub.key
>do
>shred -n 100 -z -u -v $i
>done
———————————————————-

Retrieving Public Keys
To search for a persons key type:

———————————————————-
$ gpg --search-keys jasonbrown@example.com
———————————————————-
As this is an example and a fake email address, this will not return any results. Had this been a real address you will see a list of email addresses with numbers along the side. To request the public key of that person, type the number and hit ‘enter’ and it will retreive the public.

Encrypting Files to Other Users
To encrypt a file to a different user you must first have that users public key. To check type:
———————————————————-
$ gpg --list-keys

pub 4096R/7C11053D 2009-10-12
uid Jason Brown (Example)
sub 4096R/55D59203 2009-10-12
———————————————————-

I will encrypt a file to myself. The ‘-e’ option is to tell it to encrypt and the ‘-r’ is the recipient or public key of the person you want to give the file to.
———————————————————-
$ gpg -e -r jasonbrown@example.com ssn.txt
———————————————————-

To decrypt the file, the receipient must have their public key installed on the machine. Then type:
———————————————————-
$ gpg --output ssn.txt --decrypt ssn.txt.gpg
———————————————————-
Where ‘–output’ is the name of the decrypted file and ‘–decrypt’ is the file being decrypted.

You may also want to digitally sign the file you are encrypting, to do so type:
———————————————————-
$ gpg --detach-sig ssn.txt.gpg
———————————————————-

And to verify the signature file:
———————————————————-
$ gpg --verify ssn.txt.gpg

gpg: Signature made Mon 12 Oct 2009 02:21:26 PM EDT using DSA key ID 7C11053D
gpg: Good signature from "Jason Brown (Example) "
———————————————————-

Random password generation with Perl

This script will generate new passwords for servers. This will take a list of servers from one file, generate a new password, then output the name of the server along with the password to a seperate file. In the new password file, it also generates code to reset the password for the account. The output will look like:

testserver #]biV}]F!?u
echo -e ‘#]biV}]F!?u\n#]biV}]F!?u’; history -c | passwd –stdin root

Copy and paste the whole echo command into the terminal. This will change the root password and then clear the history file. After all of the passwords have been change, run:
grep -v echo > newpassfile.txt
Now you have an easy to read password file to store for archives.

#!/usr/bin/perl -w

#############################################################
#Version 1.0
#Copyright (c) Jason C. Brown (2009)
#
#Released under the GNU GPLv3 license
#————————————
#This program is free software: you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program. If not, see .
#############################################################

system(“clear”);
print “Server File: “;
$SERVERFILE = <>;
print “Password File: “;
$USRPASSFILE = <>;
print “Length of password: “;
$passlen = <>;
open(SERVFILE, “$SERVERFILE”) || die “$!”;
open(PASSFILE, “>$USRPASSFILE”) || die “$!”;
sub passgen()
{
@char = (‘a’..’z',’A’..’Z',’1′..’9′,’!',’@',’#',’

,’%',’^',’&’,'*’,'(‘,’)',’-',’_',’=',’+',’<’,'>’,’[',']‘,’{‘,’}',’:',’;',’?',’|');

$len = $passlen;
$ranpass = “”;
for (0..$len) {
$ranpass .= $char[int rand @char];
}
return $ranpass;
}
$i = 0;
foreach() {
$pass = passgen();
chomp($_) =~ /(.+)/;
print PASSFILE “$_\t$pass\n\techo -e \’$pass\\n$pass\’; history -c | passwd –stdin root\n”;
$i++;
}

close(SERVFILE);
close(PASSFILE);

RAID Health Check

Here is a Bash Script that checks the status of a Linux software RAID using MDADM and Smart.

#!/bin/bash
#A Bash Script that will check the status of a Linux software RAID
#Version 1.0
#Copyright (c) Jason C. Brown (2009)
#Released under the GNU GPLv3 license
#Tested under RHEL 5

DAY=$(date +%D)
RAID=md0
HD=$(/sbin/mdadm –detail /dev/$RAID | grep active | awk -F ” ” ‘{ print $7 }’ | sed ’s/\/dev\///g’)
LEVEL=$(/sbin/mdadm –detail /dev/$RAID | grep “Raid Level” | awk -F “:” ‘{ print $2 }’)
HN=$(uname -n | awk -F “.” ‘{ print $1 }’)
SYSUPTIME=$(uptime | awk ‘{ print $3 ” ” $4 ” ” $5 ” hours”}’ | sed ’s/\,//g’)

echo “”

echo “RAID health check for” $HN “on” $DAY
echo “System uptime: ” $SYSUPTIME
echo “”
echo “File System”
df -H | grep -vE ‘^Filesystem|tmpfs|cdrom’ | awk ‘{ print $1 ” ” $5 }’ | column -t
echo ” “

echo “Checking” $LEVEL “Consistency”
echo “———————————————————-”
echo $RAID
/sbin/mdadm –detail /dev/$RAID | grep -E ‘State|Checksum|Device Size|Raid Devices|Active Devices|Working Devices|Failed Devices
|Persistence’ | grep -v ” Number Major Minor RaidDevice State”
echo “”

for drive in $HD;
do
echo $drive;
/sbin/mdadm –examine /dev/$drive | grep -E ‘State|Checksum|Device Size’ | grep -v ” Number Major Minor RaidDevice
State” | column -t
/usr/sbin/smartctl -a /dev/$drive | grep ‘SMART overall-health self-assessment test result’ | awk -F ” ” ‘{ print $1 ” “
$2 ” ” $5 ” ” $6}’
/usr/sbin/smartctl -a /dev/$drive | grep ‘Temperature_Celsius’ | awk -F ” ” ‘{ print $2 ” ” $4 }’
echo “”
done

echo “I/O stats for main drive”
echo “———————————————————-”
iostat -p /dev/hdc | grep -vE ‘Linux’
echo “I/O stats for raid drive”
echo “———————————————————-”
iostat -p /dev/md0 | grep -vE ‘Linux’
Return top

View Jason Brown's profile on LinkedIn

Get Adobe Flash playerPlugin by wpburn.com wordpress themes