Unlock LUKS from network (wifi and LAN)
Hello, I want to configure my LUKS encrypted device (currently Raspberry 3, but this should work on any machine running Debian or Debian based distro with initramfs) to be unlockable from LAN and from a WiFi. The custom initramfs should be responsible for connecting via LAN, hosting a wifi network with hostapd and running a ssh server to get the password to unlock the LUKS. There aren't any tutorials on the net for doing this, only for the parts, which aren't fully working, that's why I'am asking for help.
The Parts working already: Generating an initramfs with Debian tools on Kali and the modified version of Simoschiele's initramfs-hooks(https://github.com/simonschiele/initramfs-hooks), i will make a new github repo for these modified scripts. This initramfs can connect to a network via LAN. Creating an encrypted rootfs (https://github.com/NicoHood/NicoHood...ition-Tutorial) Work In Progress: Fix that Dropbear in the initramfs with Simonschiele's configuration isn't accepting logins (Permission Denied (publickey) - i will give more precise logs), or find a working ssh server for this and 'port' it for the initramfs environment. Make hostapd work in the initramfs. Create a script that automatizes the creation of this whole thing and creates a checksum of the initramfs that is easily writeable to a one time write media for integrity checks. I will give the files and logs that I already made. Update, here's the repo of the project: https://github.com/AtheroS-dev/luks-initramfs Thanks for any help, I would be thankful for any type of idea or solution that can help this project. |
I started a new thread
I started a new thread, because i can't edit my posts here. The new, relevant thread:
https://forums.kali.org/showthread.p...-(wifi-and-LAN) |
Well, I'm too lazy to join the Kali forum, so I'll just post on LQ. You would solve most of the problem if you didn't encrypt any system files. Those don't need to be encrypted, because they're not secret. Just make a separate place for data files and encrypt that.
If you have only one partition, then make a sparse file, encrypt it, open it, and format it like a disk. Put all your data in the virtual drive. Close it. |
Quote:
|
So you're worried about your system files being modified whilst it isn't even powered on ?.
|
Quote:
|
Please think before post !
Quote:
|
Yes, if the hacker gains physical access to the hardware all bets are off. I hadn't thought of that particular scenario. But the OP has a valid point.
|
Maybe have the initramfs download a keyfile from a trusted machine when it connects to wifi?
|
All times are GMT -5. The time now is 07:13 PM. |