For one of my apps I need to enable FIPS for OpenSSL, while simultaneously using software disk encryption.
VM #1
I launched a CentOS VM instance which was software encrypted during install. The system booted fine (after entering the boot decryption password).
Next, I went through the steps to enable FIPS-OpenSSL and rebooted. The system would not accept my boot decryption password (which was purposely easy to type).
VM #2
I set up a second VM with an otherwise identical OS/config without software encryption. I enabled FIPS using the steps above, rebooted, and everything works fine with no problems rebooting.
VM #3
I spun up a third CentOS VM instance, also opting not to use system encryption during installation. After install and basic configuration, I encrypted a test volume using luks, then rebooted. I'm prompted for the password and the system then boots normally.
Next, I enabled FIPS-OpenSSL, rebooted - and get a plethora of errors where I'd usually see the boot password, and the system does not boot.
I booted this VM into single user mode, pulled fips=1 from the kernel line and rebooted. The boot password was accepted this time.
...
Why is enabling FIPS for OpenSSL causing the boot passwords to fail?
The problem was that I encrypted the volumes before enabling FIPS. As garethTheRed alluded to in a comment, LUKS used a non FIPS approved algorithm, so when FIPS was enabled things went bonkers.
The solution is to
In that order.
This guide was also useful in solving the problem. It is lengthy with extra explanation so I won't copy paste the full thing here. Here's the jist:
A. ENABLE FIPS
Check if FIPS is enabled using one of two methods:
cat /proc/sys/crypto/fips_enabled
0 = not enabled
1 = enabled
openssl md5 /any/file
valid hash = not enabled
"Error setting digest md5" = enabled (likely)
Check if you have prelinking turned on.
vi /etc/sysconfig/prelink
Change
PRELINKING=yes
to
PRELINKING=no
Undo all current prelinking
[root@centos64]# prelink -ua
Install dracut-fips
[root@centos64]# yum install dracut-fips
Rebuild your initramfs
[root@centos64]# dracut -f
Find device path of /boot
[root@centos64]# df /boot
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda2 487652 115447 346605 25% /boot
cp /etc/grub.conf /etc/grub.bak
Edit /etc/grub.conf
Add in the "fips=1" and "boot=/dev/***" lines to the kernel command line
Example:
kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg_centos6464bittempl-lv_root rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=us LANG=en_US.UTF-8 rd_LVM_LV=vg_centos6464bittempl/lv_swap rd_LVM_LV=vg_centos6464bittempl/lv_root rd_NO_MD crashkernel=auto SYSFONT=latarcyrheb-sun16 rd_NO_DM rhgb quiet fips=1 boot=/dev/sda2
Reboot
Check if FIPS is enabled (See Step 1 above).
B. ENCRYPT VOLUME
Are you sure FIPS is enabled? If not, do not proceed - go back to ENABLE FIPS and make sure that part is working before continuing...
Get the device path of the logical volume you wish to encrypt. In my example, this is /dev/mapper/vg_mybox-LogVol03
BACK UP ALL DATA ON THIS VOLUME. It will be DESTROYED.
umount
volume.
In my case, umount /db_fips
shred -v -n1 /dev/mapper/vg_mybox-LogVol03
Encrypt volume and set passphrase
cryptsetup -v --verify-passphrase luksFormat /dev/mapper/vg_mybox-LogVol03
NOTE: a RHEL minimal install may not include cryptsetup by default. Just yum install cryptsetup
to get what you need. CentOS 6.7's minimal package set includes cryptsetup
.
Open the device and alias it to “somename” of your choice (in this case, "db_fips")
cryptsetup luksOpen /dev/mapper/vg_mybox-LogVol03 db_fips
Verify mapper has the path
[root@centos64]# ls /dev/mapper/db_fips
At this point, treat /dev/mapper/db_fips as you would any ordinary filesystem or device
Create filesystem as you normally would
[root@centos64]# mkfs -t ext4 /dev/mapper/db_fips
Mount it and verify it
[root@centos64]# mount /dev/mapper/db_fips /db_fips
[root@centos64]# date >> /db_fips/today.txt
¡¡¡IMPORTANT!!!: Comment out the existing /etc/fstab
entry for the target volume, lest you have headaches on reboot. :-)
vi /etc/fstab
# /dev/mapper/vg_mybox-LogVol03 /some/path ext4 defaults 1,2
Reboot to ensure the steps above are working.
get UUID
of encrypted volume
blkid
/dev/mapper/vg_mybox-LogVol03: UUID="2e52ffee-7a02-4c91-b6bf-223b05f90ded" TYPE="crypto_LUKS"
Add encrypted volume to /etc/crypttab
- so it can be decrypted on boot. You can specify a passfile here, but it is not recommended. Install DRAC in the server if it is to be remotely administered (so you can enter the pass phrase during boot). crypttab man page
[root@centos64]# vi /etc/crypttab
db_fips UUID="2e52ffee-7a02-4c91-b6bf-223b05f90ded"
Reboot to test.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments