luks encryption with qemu builder

225 views
Skip to first unread message

mike.mc...@iproov.com

unread,
Jan 26, 2018, 7:47:38 AM1/26/18
to Packer
I'm trying to create a Packer workflow that will create an encrypted centos based images for vagrant (qemu builder), KVM/libvirt (qemu builder), Azure and AWS. I want to be able to LUKS encrypt the entire LVM in the qemu based images. AWS and Azure do something else.

With virsh based tools I can use say virt-install and give it a Kickstarter file like the following:

# Required settings
lang en_GB
.UTF-8
keyboard uk
rootpw vagrant
authconfig
--enableshadow --enablemd5
timezone UTC


# Optional settings
install
cdrom
user
--name=vagrant --plaintext --password vagrant
unsupported_hardware
network
--bootproto=dhcp
firewall
--disabled
selinux
--enforcing
bootloader
--location=mbr
text
skipx
zerombr
clearpart
--all --initlabel
firstboot
--disabled


part
/boot --fstype xfs --size=1000
# the following part command fails
part pv
.2 --size=0 --grow --encrypted --cipher="aes-xts-plain64" --passphrase=<my encryption passphrase>
# the following part command works as no encryption
#part pv.2 --size=0 --grow
volgroup vg00
--pesize=4096 pv.2
logvol swap
--vgname=vg00 --fstype swap --size=1024 --name=lv_swap
logvol
/ --vgname=vg00 --fstype xfs --size=1024 --grow --name=lv_root
logvol
/usr --vgname=vg00  --fstype xfs  --percent=10 --name=lv_usr
logvol
/home --vgname=vg00  --fstype xfs  --percent=30 --name=lv_home
logvol
/var --vgname=vg00  --fstype xfs  --percent=10 --name=lv_var
logvol
/var/log --vgname=vg00  --fstype xfs  --percent=10 --name=lv_varlog
logvol
/var/log/audit --vgname=vg00  --fstype xfs  --percent=5 --name=lv_varlogaudit
logvol
/tmp --vgname=vg00  --fstype xfs  --percent=8 --name=lv_tmp


reboot


If I don't use the encrypt arg in the part command the LVM is setup fine, but adding in encryption stalls the packer build at connecting with SSH. I assume as Anaconda finishes then reboots and there is no way to enter the encryption passphrase.

I tried to get a console to the image during build but can't find it! e.g.
sudo virsh list --all

does not show the image being built.

Reading the documentation and googling around showed me no examples of anyone encrypting their qemu images. 

The environment I am deploying in to can only be accessed via SSH so must use the serial console, there is no X-forwarding possible. Also, the VMs themselves must be encrypted, it is not acceptable to put an unencrypted VM in a LUKS container on the virtualisation host.

Is it possible to encrypt images or the LVM with Packer? Are there other ways I can encrypt the packer image post build e.g. in the post section? 

Thanks. Hope someone can help, been at this 3 days and going to get my butt kicked soon:-/

mike.mc...@iproov.com

unread,
Jan 26, 2018, 11:02:17 AM1/26/18
to Packer
I've managed to start to make this work, although with manual steps. The trick was to set headless to false and enable VNC with qemu args. So at least I can now enter the encryption passphrase in VNC. 

Steps were:
1. in Packer qemu json set headless to false
2. in Packer qemu json set the display

"qemuargs": [
      [ "-m", "{{ user `memory` }}" ],
      [ "-smp", "{{ user `cpus` }}"],
      ["-display", "vnc=1"]
      ]

 3. once Packer running , connect with vncviewer (you can get the IP and port from the Packer log out output) e.g. vncviewer 127.0.0.1:48

Wondering if I can automate the passphrase entry by coping in a key file during kickstart (and deleting the key file and entering a new LUKS key slot later in build process for production machines.) Anyone know if that will work, or if there is a better way to encrypt the LVM?

cmob...@gmail.com

unread,
May 3, 2018, 6:46:51 AM5/3/18
to Packer
Hi Mike,

Looks like we have a similar issue. I can also interact manually but would love to automate the login after first reboot with LUKS enabled.

Did you find a solution for this?

Thanks!

dragon788

unread,
May 24, 2018, 6:51:40 PM5/24/18
to Packer
It might be tricky but possible to trigger virtualbox "send-keys" via a script using the "host-shell" provisioner in order to decrypt the machine's drive on boot, but it would be tough to know the exact timing and might require a bit of scripting to handle retries and check for SSH connectivity before the password entry script quits. I've been thinking through this for the virtualbox builder but I haven't had to put the effort into implementing it yet since our box builds are only for quickly testing our preseed/kickstarter files without having to use real hardware.

dragon788

unread,
Sep 20, 2018, 5:52:47 PM9/20/18
to Packer
After looking into some tangentially related things I discovered another potential option might be configuring a LUKS unlock via SSH using a crafted dropbear loaded into the initrd. There are some posts on how to do this online but I haven't yet undertaken trying to get it to work with Packer/Vagrant. I would think for security you could avoid using a passphrase-less key but instead use the ssh_agent_forwarding to present a secure key that Packer/Vagrant could use to trigger the decrypt command once, and then delete the "key slot" from LUKS after allowing it to finish provisioning or running tests against the VM to ensure it met all required guidelines (InSpec compliance profiles like the https://dev-sec.io linux-baseline or ssh-baseline).
Reply all
Reply to author
Forward
0 new messages