From owner-freebsd-questions@freebsd.org Mon Nov 25 14:45:22 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 775A81AEF5B for ; Mon, 25 Nov 2019 14:45:22 +0000 (UTC) (envelope-from perso@florencepaul.com) Received: from mx-out-01.sud-ouest2.org (mx-out-01.sud-ouest2.org [87.98.220.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-out-01.sud-ouest2.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47M8w15Cfhz4VfK for ; Mon, 25 Nov 2019 14:45:21 +0000 (UTC) (envelope-from perso@florencepaul.com) Received: by mx-out-01.sud-ouest2.org (Postfix, from userid 112) id 8685915ECD86B; Mon, 25 Nov 2019 15:45:20 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mx-out-01.sud-ouest2.org 8685915ECD86B Received: from localhost (localhost [127.0.0.1]) by mail.sud-ouest2.org (Postfix) with ESMTP id 9705D10089C2E9 for ; Mon, 25 Nov 2019 15:45:19 +0100 (CET) Received: from mail.sud-ouest2.org ([127.0.0.1]) by localhost (mail.sud-ouest2.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id W5bLvaxlPyXj for ; Mon, 25 Nov 2019 15:45:18 +0100 (CET) Subject: Geli password over network strategies References: <4ac6ee31-ab05-97f6-da4b-c2d798651fdf@florencepaul.com> To: freebsd-questions@freebsd.org From: Paul Florence X-Forwarded-Message-Id: <4ac6ee31-ab05-97f6-da4b-c2d798651fdf@florencepaul.com> Message-ID: <9dd8e65a-afdd-514f-0dc0-6bb60b9faaab@florencepaul.com> Date: Mon, 25 Nov 2019 15:45:17 +0100 MIME-Version: 1.0 In-Reply-To: <4ac6ee31-ab05-97f6-da4b-c2d798651fdf@florencepaul.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB X-Rspamd-Queue-Id: 47M8w15Cfhz4VfK X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.32 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.978,0]; R_DKIM_ALLOW(-0.20)[florencepaul.com:s=dkim]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:87.98.220.64:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.96)[-0.960,0]; RCVD_COUNT_THREE(0.00)[4]; IP_SCORE(0.62)[ipnet: 87.98.128.0/17(1.31), asn: 16276(1.78), country: FR(-0.00)]; DKIM_TRACE(0.00)[florencepaul.com:+]; DMARC_POLICY_ALLOW(-0.50)[florencepaul.com,quarantine]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:16276, ipnet:87.98.128.0/17, country:FR]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Nov 2019 14:45:22 -0000 Hello everyone, I am currently running a home-made server with 12.0-RELEASE-p10 using full disk geli encryption. When I boot the server, I first have to type a password to decrypt the whole system. However, my ISP is having some power issues and in the last few weeks I had to go there quite a few times to type a passphrase. I would like now to be able to enter my passphrase over the network. Would the following boot process be possible ? 1. First boot from an unencrypted kernel from a USB stick. 2. Then start an SSH server. 3. Input my passphrase over an ssh terminal. 4. Use the provided passphrase as the geli secret to boot the OS from the disk If no, has anyone had to deal with this kind of problem ? If so, what kind of strategy did you decide to use ? Thanks, Paul