Securing/encrypting LEDE/openwrt config folder, custom scripts


#1

HI All,

We are using LEDE 17.01 on our embedded board. We would like to secure the "config files", "custom shell scripts" that are part of LEDE image. WE are looking into LUKS concept(cryptsetup) to create a loop container to mount the /etc/config folder into encrypted container. We are using the below steps to create the container and encrypt the folder. THe system is using JFFS2 filesystem .

dd if=/dev/zero of=/home/cryptfile bs=1M count=500
losetup  /dev/loop0   /home/cryptfile
cryptsetup  -y  luksFormat  /dev/loop0
cryptsetup  luksOpen  /dev/loop0  crypt1
mkfs.ext3 -j /dev/mapper/crypt1
mount  /dev/mapper/crypt1   /media/new

THe last step "mount" is failing showing as invalid argument. Also we are not able to compile mkfs.jffs2 to format the /dev/mapper/crypt1 as jffs2.

Can anybody help in providing how to secure the folders on LEDE based embedded routers using LUKS or any other means..

THanks,
Sai


#2

hmm, so at every reboot someone has to type a passphrase!?!

by the way, 17.01.* is going end of support at the beginning of 2019.


#3

This seems like a Catch-22 to me:

  • The config files need to be readable (and, in some cases writable) on the router at any point in time that a change to the running system is made (not just at boot and not just when "changes" are made to the config, such as hot-plug events and DHCP lease acquisition)
  • Embedded devices don't have a console on which a decryption key can be entered
  • This seems to mean that the decryption key needs to be "root-readable" at any point in time
  • If the decryption key is root-readable, then what does encryption provide you that
chown -R root:root /etc
chmod -R 600 /etc

or the like doesn't provide?


#4

Thanks for your Responses, Rj-45 and Jeff..

hmm, so at every reboot someone has to type a passphrase!?!

We still need to explore how to overcome this step. Either hardcoding passphrase or other means.

  • The config files need to be readable (and, in some cases writable) on the router at any point in time that a change to the running system is made (not just at boot and not just when "changes" are made to the config, such as hot-plug events and DHCP lease acquisition)

Yes config files need to be readable, so we want to atleast prevent offline reading of config/scripts using binwalk etc..

  • If the decryption key is root-readable, then what does encryption provide you that

Yes , we have to identify a way to hardcode the key in application or save in a safe location.

Thanks,
Sai


#5

I do not think we should support this kind of business... OP is trying to distribute locked down routers, and I think that goes against the spirit of OpenWrt.


#6

And suddenly silence ... :smiley:


#7

#8

Relaxing break

image