Loading encrypted filesystem password over LAN at boot time?

rjlee · 07-02-2008, 06:33 AM

Hi.

I was just wondering how hard it would be to set up an encrypted / filesystem so that I could enter the password through another machine on the local network (possibly by sharing a USB memory stick)?

I am setting up a server with an encrypted / filesystem. Physical access is difficult, so this would make it a lot easier to reboot the server after kernel updates, power failures etc.

The machine is already installed, but I can re-install if needed.

When I boot, currently it asks me for a password to unlock the root filesystem (luks password from an Ubuntu 8.04 alternate CD install).

nx5000 · 07-02-2008, 07:52 AM

In common LUKS packages, there is already an option to have the passphrase stored on a local usb key.

The job is done by early-crypto.

Quote:

10. The "passdev" keyscript
----------------------------
If you have a keyfile on a removable device (e.g. a USB-key), you can use the
passdev keyscript. It will wait for the device to appear, mount it read-only,
read the key and then unmount the device.

The "key" part of /etc/crypttab will be interpreted as <device>:<path>, it is
strongly recommended that you use one of the persistent device names from
/dev/disk/*, e.g. /dev/disk/by-label/myusbkey.

This is an example of a suitable line in cryptsetup:
cryptroot /dev/hda2 /dev/disk/by-label/myusbkey:/keys/root.key cipher=aes-cbc-essiv:sha256,size=256,hash=plain,keyscript=/lib/cryptsetup/scripts/passdev

The above line would cause the boot to pause until /dev/disk/by-label/myusbkey
appears in the fs, then mount that device and use the file /keys/root.key
on the device as the key (without any hashing) as the key for the fs.

In /lib/cryptsetup/cryptdisks.functions, the usb key is mounted:

Quote:

# Premounts file systems
mount_fs () {
local point
MOUNTED=""

for point in $MOUNT; do
if mount "$point" >/dev/null; then
MOUNTED="$MOUNTED $point"
fi
done
}

So what you'll need is prior to that, enabling the network, mounting the remote usb key (sshfs with public/private key or any encrypted network file system)
Or you could setup an ssh client that would remotely copy the key to /tmp in RAM and then use the above method for early-crypto.

Here is someone that starts an ssh server then waits for the passphrase from the network. THere's also general info on creating an initrd:
http://gpl.coulmann.de/ssh_luks_unlock.html

Just a few ideas..

rjlee · 07-02-2008, 11:12 AM

nx5000:

Thanks for that. I tried following that howto, but found it bombed out on Ubuntu repeatedly.

Luckily, someone else has already made it work for Ubuntu and posted a tutorial here: http://www.howtoforge.com/unlock-a-l...-ssh-on-ubuntu

So I've tried running that, and (after removing a line about /lib/tls, which I don't seem to have) it does seem to have booted the initrd. It seems to work fine entering the password at the terminal. When entering it over the network, it claims to set up the cryptographic volume without prompting me for a password (and also seems to fail to do so).

Hopefully I can get that working.

simonapnic · 07-10-2008, 02:59 PM

Your LUKS solution might work, but have you ever heard of SSHFS ?
You can find the official site (I think) here: http://fuse.sourceforge.net/sshfs.html
I've used it in the past and I was pretty satisfied with it.

rjlee · 07-12-2008, 03:15 PM

Quote:

Originally Posted by simonapnic

Your LUKS solution might work, but have you ever heard of SSHFS ?

I think these do different jobs: LUKS encrypts the data stored on a disk, which SSHFS encrypts the transfer of data between one machine and another.

As far as I know, there's no way to use SSHFS to ensure that the data is encrypted on disk. Or am I missing something?