Loading encrypted filesystem password over LAN at boot time?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Loading encrypted filesystem password over LAN at boot time?
Hi.
I was just wondering how hard it would be to set up an encrypted / filesystem so that I could enter the password through another machine on the local network (possibly by sharing a USB memory stick)?
I am setting up a server with an encrypted / filesystem. Physical access is difficult, so this would make it a lot easier to reboot the server after kernel updates, power failures etc.
The machine is already installed, but I can re-install if needed.
When I boot, currently it asks me for a password to unlock the root filesystem (luks password from an Ubuntu 8.04 alternate CD install).
In common LUKS packages, there is already an option to have the passphrase stored on a local usb key.
The job is done by early-crypto.
Quote:
10. The "passdev" keyscript
----------------------------
If you have a keyfile on a removable device (e.g. a USB-key), you can use the
passdev keyscript. It will wait for the device to appear, mount it read-only,
read the key and then unmount the device.
The "key" part of /etc/crypttab will be interpreted as <device>:<path>, it is
strongly recommended that you use one of the persistent device names from
/dev/disk/*, e.g. /dev/disk/by-label/myusbkey.
This is an example of a suitable line in cryptsetup:
cryptroot /dev/hda2 /dev/disk/by-label/myusbkey:/keys/root.key cipher=aes-cbc-essiv:sha256,size=256,hash=plain,keyscript=/lib/cryptsetup/scripts/passdev
The above line would cause the boot to pause until /dev/disk/by-label/myusbkey
appears in the fs, then mount that device and use the file /keys/root.key
on the device as the key (without any hashing) as the key for the fs.
In /lib/cryptsetup/cryptdisks.functions, the usb key is mounted:
Quote:
# Premounts file systems
mount_fs () {
local point
MOUNTED=""
for point in $MOUNT; do
if mount "$point" >/dev/null; then
MOUNTED="$MOUNTED $point"
fi
done
}
So what you'll need is prior to that, enabling the network, mounting the remote usb key (sshfs with public/private key or any encrypted network file system)
Or you could setup an ssh client that would remotely copy the key to /tmp in RAM and then use the above method for early-crypto.
Here is someone that starts an ssh server then waits for the passphrase from the network. THere's also general info on creating an initrd: http://gpl.coulmann.de/ssh_luks_unlock.html
So I've tried running that, and (after removing a line about /lib/tls, which I don't seem to have) it does seem to have booted the initrd. It seems to work fine entering the password at the terminal. When entering it over the network, it claims to set up the cryptographic volume without prompting me for a password (and also seems to fail to do so).
Your LUKS solution might work, but have you ever heard of SSHFS ?
You can find the official site (I think) here: http://fuse.sourceforge.net/sshfs.html
I've used it in the past and I was pretty satisfied with it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.