Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello, I want to configure my LUKS encrypted device (currently Raspberry 3, but this should work on any machine running Debian or Debian based distro with initramfs) to be unlockable from LAN and from a WiFi. The custom initramfs should be responsible for connecting via LAN, hosting a wifi network with hostapd and running a ssh server to get the password to unlock the LUKS. There aren't any tutorials on the net for doing this, only for the parts, which aren't fully working, that's why I'am asking for help.
The Parts working already:
Generating an initramfs with Debian tools on Kali and the modified version of Simoschiele's initramfs-hooks(https://github.com/simonschiele/initramfs-hooks), i will make a new github repo for these modified scripts. This initramfs can connect to a network via LAN.
Fix that Dropbear in the initramfs with Simonschiele's configuration isn't accepting logins (Permission Denied (publickey) - i will give more precise logs), or find a working ssh server for this and 'port' it for the initramfs environment.
Make hostapd work in the initramfs.
Create a script that automatizes the creation of this whole thing and creates a checksum of the initramfs that is easily writeable to a one time write media for integrity checks.
I will give the files and logs that I already made.
Update, here's the repo of the project: https://github.com/AtheroS-dev/luks-initramfs
Thanks for any help, I would be thankful for any type of idea or solution that can help this project.
Last edited by AtheroS; 06-22-2017 at 05:03 AM.
Reason: adding link to logs and files
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524
Rep:
Well, I'm too lazy to join the Kali forum, so I'll just post on LQ. You would solve most of the problem if you didn't encrypt any system files. Those don't need to be encrypted, because they're not secret. Just make a separate place for data files and encrypt that.
If you have only one partition, then make a sparse file, encrypt it, open it, and format it like a disk. Put all your data in the virtual drive. Close it.
Well, I'm too lazy to join the Kali forum, so I'll just post on LQ. You would solve most of the problem if you didn't encrypt any system files. Those don't need to be encrypted, because they're not secret. Just make a separate place for data files and encrypt that.
If you have only one partition, then make a sparse file, encrypt it, open it, and format it like a disk. Put all your data in the virtual drive. Close it.
If I encrypt the whole partition, I don't have to search rootkits in the system files, only in the /boot partition, which is small and i can simply overwrite it from a backup with a trusted device. I don't only encrypt files to hide something, i want to know that they aren't modified.
Someone steals the microSD card, plugs it into another computer, places a keylogger on it, the puts it back to my RPi3. This works only without disk encryption. LUKS protects the integrity of the encrypted partition.(You can't modify encrypted files correctly, because you don't understand them.) Of course there's always a non-encrypted partition for asking for password, but these can be smaller and checked easier than the whole rootfs.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.