![]() The attacker wouldn’t be able to download the keyfile if they’re not in my network. My threat model involves people stealing the disk and/or the server. Requiring clients to use a SAS token to download the file.Allowing connections only from the IP of my home (I have a “quasi-static” IP, that changes less than once per year).Configuring the Storage Account to accept only secure connections that use HTTPS.I’m guaranteeing some level of security by: While this doesn’t offer the same protection as a key vault, it can be enough for most people, depending on your threat model. In this example, I’m storing the keyfile in Azure Blob Storage. As mentioned at the beginning, this solution can’t be used with the root filesystem, but only with secondary data disks.If you have another service depending on the data disk’s availability, you need to explicitly make its systemd unit depending on the mnt-data.mount unit (with Requires=mnt-data.mount and After=mnt-data.mount) The systemd units are executed only after the network and the other “normal” filesystems are mounted.Mount the disk with systemctl start mnt-data.mount, and un-mount with systemctl stop mnt-data.mount To mount and un-mount the encrypted disk you must use systemctl rather than the usual mount and umount commands.We’re done! However, keep in mind a few things: Try rebooting the system, and you’ll see the partition being mounted automatically. Following up on the example in the Appendix, with a keyfile stored on Azure Blob Storage, the script would look like this: The content of the script completely depends on how and where you stored your keyfile. You will need to create a script that can return the keyfile when invoked, stored as /etc/luks/key.sh ![]() Step 2: Create a script returning the keyfile You can see an example of doing this in the Appendix below. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |