From owner-freebsd-hackers@FreeBSD.ORG Wed Feb 20 07:45:00 2013 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 36176445 for ; Wed, 20 Feb 2013 07:45:00 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-gg0-x234.google.com (mail-gg0-x234.google.com [IPv6:2607:f8b0:4002:c02::234]) by mx1.freebsd.org (Postfix) with ESMTP id E97B586E for ; Wed, 20 Feb 2013 07:44:59 +0000 (UTC) Received: by mail-gg0-f180.google.com with SMTP id e5so965356ggk.11 for ; Tue, 19 Feb 2013 23:44:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:subject:references:from:content-transfer-encoding :content-type:x-mailer:message-id:date:cc:to:mime-version; bh=0KkeGh2h03BnSMXN8++bw5p2Te6hHkksgddaASTUCUw=; b=xZdmEMWS7pMVtBjYrkBp3yfWkF5Kt9Gb88JHqkWQFhCtnhOysRHxhTyo0yArUxbzuh 5xTKJIETkx/gyCUx6suDbJZ1+NaFt8KChLs9n7HyBQC53BxuQqZIuir4GbvBAvAo9VzQ OsPlKFI0hWMn10VtKZhWG8EQmbrO3DsBcD/m8h/zstGXwgjy4QKvVd1RmpeBfatKxTa8 sXNq1uYMQbniW/glDL3+bRDXklp2WzDCYWuz/MvtPmzSwytRlcBHex/ax1gJQFnpRsy1 RNQOR8UR01Xp/PEzrXPOgPHYAYnGNX1/N9dOKsVlETVxn5ztL93rzFbV7l26dk7ZS2jw vfzQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=x-received:sender:subject:references:from:content-transfer-encoding :content-type:x-mailer:message-id:date:cc:to:mime-version; bh=0KkeGh2h03BnSMXN8++bw5p2Te6hHkksgddaASTUCUw=; b=bMHqVql+oP81hx2TO9PB+m6SzSVrl3btB0kCR4TmA/oKArMSK/FSg22ono2j6tJy7L 1TTO6oXZ63/9qJpRc73LwJD5nenF/SkNlDd9qNxlB1d8sb1LiKeI1k/57h2pI4S9iDaH 6S+JNx6l5+XRR9UT4qEe0Kqh/U+xzOCes8F1M= X-Received: by 10.236.128.42 with SMTP id e30mr35538524yhi.7.1361346298355; Tue, 19 Feb 2013 23:44:58 -0800 (PST) Received: from DataIX.net (24-231-147-188.dhcp.aldl.mi.charter.com. [24.231.147.188]) by mx.google.com with ESMTPS id t5sm6912619anl.22.2013.02.19.23.44.56 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 19 Feb 2013 23:44:57 -0800 (PST) Sender: Jason Hellenthal Received: from [192.168.32.64] (wifall.wlan.DataIX.local [192.168.32.64]) (authenticated bits=0) by DataIX.net (8.14.6/8.14.6) with ESMTP id r1K7iprq008497 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 20 Feb 2013 02:44:55 -0500 (EST) (envelope-from jhellenthal@DataIX.net) Subject: Fwd: Chicken and egg, encrypted root FS on remote server References: From: Jason Hellenthal X-Mailer: iPhone Mail (8C148) Message-Id: <204C42A2-6381-4601-BEE7-D2AB56822468@DataIX.net> Date: Wed, 20 Feb 2013 02:44:41 -0500 To: "hackers@freebsd.org" Mime-Version: 1.0 (iPhone Mail 8C148) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: Paul Schenkeveld X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2013 07:45:00 -0000 Meant to also reply all... Reply elsewhere... --=20 Jason Hellenthal JJH48-ARIN - (2^(N-1)) Begin forwarded message: > From: Jason Hellenthal > Date: February 20, 2013 2:42:57 EST > To: Paul Schenkeveld > Subject: Re: Chicken and egg, encrypted root FS on remote server >=20 > Just a thought with no working example but=E2=80=A6 >=20 > bootp / tftp - from a remote secured management frame to TX a key filesyte= m to unlock your rootfs. >=20 > Could be something as simple as a remote wireless adhoc server with a 64GB= thumbdrive to hold your data or just enough to tell the system where to get= it. >=20 > Considering a key can be any length string of a sort just to say but... Se= rve the rootfs key directly from a TXT out of a secured DNS zone only visibl= e to so said machines.=20 >=20 > Just a thought. >=20 > --=20 > Jason Hellenthal > JJH48-ARIN > - (2^(N-1)) >=20 >=20 > On Feb 20, 2013, at 1:58, Paul Schenkeveld wrote: >=20 >> Hi, >>=20 >> I've been trying to find a solution for this chicken and egg problem, >> how to have an encrypted root filesystem on a remote server. >>=20 >> Geli can ask for a root password at the console to unlock the root fs >> but that of course won't work for a remote server. >>=20 >> Ideally I'd like the server to start, do minimal network config, run >> a minimal ssh client (dropbear?) and wait for someone to log in, >> provide the passphrase to unlock the root filesystem and then mount >> the root filesystem and do a normal startup. >>=20 >> I read about a pivotroot call in other OS-es, that would allow for a >> very small unencrypted root filesystem to be mounted temporarily until >> the passphrase has been entered and then swap that for a real, encrypted >> root filesystem. But AFAIK we don't have pivotroot. >>=20 >> The problem could also be solved if the real root fs could be union >> mounted over the small unencrypted one but unionfs won't mount over /. >>=20 >> I found out that a ZFS pool where a specific dataset has the >> mountpoint=3D/ option set can be used to 'buri' the unencrypted root unde= r >> the real root but that would render the unencrypted one unchangable >> after the real one is mounted (prohibiting sysadmin to change the ssh >> credentials or network config there). It would also make maintenance >> a bit more difficult because an import of the zpool would automatically >> remount /, even when running from a cd-rom or USB stick. And of course >> this approach would not work in non-zfs environments (like very small >> systems). >>=20 >> Looking at sys/kern/init_main.c and sys/kern/vfs_mount.c I could >> imagine having a kind of "pre root environment", an unencrypted root >> that gets mounted first (along with a devfs) and a /sbin/init that >> sets up minimal networking and runs sshd. Aftre that one dies the >> unencrypted root and devfs would be unmounted, the real root mounted >> and the real /sbin/init started. But this may be a considered a dirty >> approach. >>=20 >> Did I miss the obvious and easy solution? Any ideas? >>=20 >> With kind regards, >>=20 >> Paul Schenkeveld >> _______________________________________________ >> freebsd-hackers@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org= "