Unlock LUKS from network (wifi and LAN)
 

Hello, I want to configure my LUKS encrypted device (currently Raspberry 3, but this should work on any machine running Debian or Debian based distro with initramfs) to be unlockable from LAN and from a WiFi. The custom initramfs should be responsible for connecting via LAN, hosting a wifi network with hostapd and running a ssh server to get the password to unlock the LUKS. There aren't any tutorials on the net for doing this, only for the parts, which aren't fully working, that's why I'am asking for help.

The Parts working already:

Generating an initramfs with Debian tools on Kali and the modified version of Simoschiele's initramfs-hooks(https://github.com/simonschiele/initramfs-hooks), i will make a new github repo for these modified scripts. This initramfs can connect to a network via LAN.

Creating an encrypted rootfs (https://github.com/NicoHood/NicoHood...ition-Tutorial)

Work In Progress:

Fix that Dropbear in the initramfs with Simonschiele's configuration isn't accepting logins (Permission Denied (publickey) - i will give more precise logs), or find a working ssh server for this and 'port' it for the initramfs environment.

Make hostapd work in the initramfs.

Create a script that automatizes the creation of this whole thing and creates a checksum of the initramfs that is easily writeable to a one time write media for integrity checks.

I will give the files and logs that I already made.
Update, here's the repo of the project: https://github.com/AtheroS-dev/luks-initramfs
Thanks for any help, I would be thankful for any type of idea or solution that can help this project.

I started a new thread
 

I started a new thread, because i can't edit my posts here. The new, relevant thread:
https://forums.kali.org/showthread.p...-(wifi-and-LAN)

Well, I'm too lazy to join the Kali forum, so I'll just post on LQ. You would solve most of the problem if you didn't encrypt any system files. Those don't need to be encrypted, because they're not secret. Just make a separate place for data files and encrypt that.

If you have only one partition, then make a sparse file, encrypt it, open it, and format it like a disk. Put all your data in the virtual drive. Close it.

If I encrypt the whole partition, I don't have to search rootkits in the system files, only in the /boot partition, which is small and i can simply overwrite it from a backup with a trusted device. I don't only encrypt files to hide something, i want to know that they aren't modified.

So you're worried about your system files being modified whilst it isn't even powered on ?.

That kind of struck me also.

Please think before post !
 

Someone steals the microSD card, plugs it into another computer, places a keylogger on it, the puts it back to my RPi3. This works only without disk encryption. LUKS protects the integrity of the encrypted partition.(You can't modify encrypted files correctly, because you don't understand them.) Of course there's always a non-encrypted partition for asking for password, but these can be smaller and checked easier than the whole rootfs.

Yes, if the hacker gains physical access to the hardware all bets are off. I hadn't thought of that particular scenario. But the OP has a valid point.

Maybe have the initramfs download a keyfile from a trusted machine when it connects to wifi?