Site Navigation

Date:      Mon, 25 Nov 2019 09:15:12 -0600
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: Geli password over network strategies
Message-ID:  <070fde61-d128-bae6-b381-75c9a204980b@denninger.net>
In-Reply-To: <9dd8e65a-afdd-514f-0dc0-6bb60b9faaab@florencepaul.com>
References:  <4ac6ee31-ab05-97f6-da4b-c2d798651fdf@florencepaul.com> <9dd8e65a-afdd-514f-0dc0-6bb60b9faaab@florencepaul.com>

---

index | next in thread | previous in thread | raw e-mail

---

[-- Attachment #1 --]

On 11/25/2019 08:45, Paul Florence via freebsd-questions wrote:
> Hello everyone,
>
> I am currently running a home-made server with 12.0-RELEASE-p10 using
> full disk geli encryption. When I boot the server, I first have to
> type a password to decrypt the whole system.
>
> However, my ISP is having some power issues and in the last few weeks
> I had to go there quite a few times to type a passphrase.
>
> I would like now to be able to enter my passphrase over the network.
>
> Would the following boot process be possible ?
>
> 1. First boot from an unencrypted kernel from a USB stick.
>
> 2. Then start an SSH server.
>
> 3. Input my passphrase over an ssh terminal.
>
> 4. Use the provided passphrase as the geli secret to boot the OS from
> the disk
>
> If no, has anyone had to deal with this kind of problem ? If so, what
> kind of strategy did you decide to use ?
>
Yep.  My infrastructure is UPS backed but UPS batteries run out and then
things shut down.  When power comes back, well, I'd like to be able to
enter that password with REASONABLE security.

Here's my strategy for dealing with it.

Front-end the server with something that is a dedicated firewall and
WILL reboot on power fail and come back to multi-user, normal mode (I
use a pcEngines box that boots off SD and runs with root mounted
read-only; there is thus essentially zero risk of said box not coming
all the way back up unattended.)  It runs StrongSwan.

Now from "wherever" I can either ssh or VPN into that after a power
failure.  The main box is, at this point, sitting at a console prompt
asking for a GELI password as the loader requires it to unlock the root
ZFS pool.

I now have choices; I could have the big box set up to go to a serial
console and have the serial port plugged in but instead my usual choice
is to instead use the existing "big box's" IPKVM feature which I can
access via two means -- either over the VPN (since my laptop now appears
to be on the local LAN which has the IPKVM port on it) or I can sign
into the gateway and use "ssh" to set up a temporary tunnel to the
https: port on the IPKVM interface thereby allowing me to directly do a
"https://gateway-ip-address:whateverport" and sign into the IPKVM that
way, then use its functionality to get direct console access.  Either
way the session is encrypted so the password cannot be picked off.

-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

[-- Attachment #2 --]
0�	*�H��

��0�

10
	`�H
e0�	*�H��


��
�0��0���
�H���^��Ōc!5�
�H0
	*�H��


0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA0
170817164217Z
270815164217Z0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA0�"0
	*�H��



�0�
�
�h�-5B>[���;��o���l�Ӵ��0~͎O9}�9�Y��e������*�������$��g��!uk�vʶ�LzN�`jL�>��MD'7
U4����5C�B�+�kY`bd����~b*�c3�N��y-�78j�u�]9H�e��uέ�sӬD��ؽ�m��gw�ER�?�&U�UR�j����'�}�9n�WD i�`XcbG��z�\g������G=��u�%���\�O�i1���3���ߝ4�
�K4�4p�YQr]�Ie�/r�0+��eEޝݖ0��C15�M��ݚ@J�SZ(zȏ�N�Ta�(2��5�D�D5���.l�<g[[Za��r�Q�Q%�Bu�ȴ
����~~`���I�oh�R�b����ʳ��ڟ���u�2���M�S��8E�dF��UC���l�CM�aѳ����!����}ș�+�2��k
��/�bų�E,��n�当ꖛ\�(8�WV�8	d]�b�	�������y�X��w	܊�:I�39

��

0�
0U]�^§������Q�\ӎ�0��U#��0�����T0�3���9�N0b������0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA�	�@�U��i0U

�0

�
0U

�
�0
	*�H��


�
��:P U!>v�����J�ni��o�-����#�ן�]Wyu�j���ǑR̀��Q�
�nƇ�!GѦF��g\�yLx�g�w=�O�P��yceh�f[���}�ܷ�['4�ڝ�\[p6\o.
��B&�JF���"�ZC{;�*o�*�mc��Cc�LY߾�`
�t�*�S!����񫶭�(���`�]D�HP�5���A~/�N���Pp�����6�=�m��h�k�밣'd���oA$�86hm����5���Ӛ��S@�j���ެE���gl��
�)�0JG���`%�k�3�5��P��a��C?���σ
׳HE�t
}!�P���㏏%*���B�xb��Q�waKG����$6h�¦��M�v��e;��[o��-�Iی��&
���I,��T��c�ߎ#t �wPA�@��l0�P�+�KXB��պT	z���G�v;N��c��I3��&��JĬ���UP�N��a��?�/�%�W��6G۟N�0�00��
��k���#X��d��\�=0
	*�H��


0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA0
170817212120Z
220816212120Z0W10	UUS10UFlorida10U
Cuda Systems LLC10Ukarl@denninger.net0�"0
	*�H��



�0�
�
�T��[I�-ΆϏdn;�Å�@שy���.u�s�~_�Z�G%<��M��Y��d�\g��v�f��n�s�a��1'6����E�gyjs�"C� [�{��~��_���K���Pn+<�*�pv���#Q�����+��H���/���7[-v��qD��V^U>�f��%�GX�)��H.��|l`�M(C�r�>е͇6����#�o��dc"Y�ljҦ�ln8�@�5S�A�0���&ۖ"���OGj?��U��DWZ5	��dDB7k-)�9�����I�zs��-�JA���v
��J��6L���$�Ն����1Sm�Y.��Lqw*��SH;E��F'�D�Ħ��H��]��M��O��������g���Q���Q�|M�ٙ��ג2Z��9y��@���y�]}6ٽe��Y9��Y2�xˆ�$T�=�e�CǺ��ǵb�n֛�{��j��|��@�LL�t�1�[D�k5:$=�	`�	�M

��
�0�
�0<+


00.0,+
0
� http://ocsp.cudasystems.net:88880	U00	`�H
��B

�0U

��0U%0+
+
03	`�H
��B

&$OpenSSL Generated Client Certificate0U�%�՞V
=���؁�;�bzQ0��U#��0���]�^§������Q�\ӎϡ�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA��H���^��Ōc!5�
�H0U0�karl@denninger.net0
	*�H��


�
�۠�A0�-j%-�-$%���g2#ޡ��1�^��>���{K+�u��GE���v1���ş7Af&b�&O�;.��;A5���*U��)N��D2bF��|\=�]<�sˋL!��wrw���٧>��Y���M���Ä���3\mW�R�� h�Sv���!�_�zv�����l�?� ��3_�� �xU%�\�^����#���O*���Gk̍�YI_�&�Fꊛ�����@&�1�n������”�}� ͬ:��{�hT�P3��B.�;���bU�8:Z��=^���Gw�8���!k-��@���x�E��@�i�,+'�Iᐚ:f��hz�tX7/�(h�Y`��� O�.������1}a`�%�RW��^�a�k������ǂp�C�Au�fgDix�UT��Щ/�7��}�%=j��nVZvcF����<�M=
�2^G�KH5魉
�_���O�4ެ�Byʈ�
��y��S��k�w=5�@h�.0�z�>�
W�1�0�

0��0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA��k���#X��d��\�=0
	`�H
e��E0	*�H��

	1	*�H��


0	*�H��

	1
191125151512Z0O	*�H��

	1B@�?��._��@���5�m���w.��G�
��b�QJ�).�G����PT��3�
CX��1e0l	*�H��

	1_0]0	`�H
e
*0	`�H
e
0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71��0��0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA��k���#X��d��\�=0��*�H��

	1�����0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA��k���#X��d��\�=0
	*�H��



�b�~�m�.G�!X��
Uꄆ�
��)/�E����^nv�
%pz	��U溝����HF��u�F#��s�(L������A��j<�R7���LkU���Tu[Ǝp?��wLA��}�0����
�0�?;3`x[�x�)xP��z����K�f��`)H����ܣ��B�@<bZ��f~[�&�(6���#�@s�<��uj�+��-��%q�)�H���@�<oQ�����/���J�b����
��J��\*�U�R`ȋ����#*X����.��s��8!F,x?C���k��`�^��72C���(�L괈%��su>�m����Kt��fVj���6}0t���.\�N�=�6L�VN��(�.��'�v��b1����/�MG��D����Ŧc89���d��<��ħ���+����1<����tK�h�'��߮�E
�%�J
��0���%�4�"��E��N��;[��>Ԣ7M��s._��.~�W�0��|A���І±���

help

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?070fde61-d128-bae6-b381-75c9a204980b>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact