From owner-freebsd-hackers@FreeBSD.ORG Wed Feb 20 11:13:46 2013 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id E0E162E2 for ; Wed, 20 Feb 2013 11:13:46 +0000 (UTC) (envelope-from freebsd@psconsult.nl) Received: from mx1.psconsult.nl (unknown [IPv6:2001:7b8:30f:e0::5059:ee8a]) by mx1.freebsd.org (Postfix) with ESMTP id 9AB78806 for ; Wed, 20 Feb 2013 11:13:46 +0000 (UTC) Received: from mx1.psconsult.nl (mx1.hvnu.psconsult.nl [46.44.189.154]) by mx1.psconsult.nl (8.14.5/8.14.4) with ESMTP id r1KBDeUK099683 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 20 Feb 2013 12:13:45 +0100 (CET) (envelope-from freebsd@psconsult.nl) Received: (from paul@localhost) by mx1.psconsult.nl (8.14.5/8.14.4/Submit) id r1KBDefw099682; Wed, 20 Feb 2013 12:13:40 +0100 (CET) (envelope-from freebsd@psconsult.nl) X-Authentication-Warning: mx1.psconsult.nl: paul set sender to freebsd@psconsult.nl using -f Date: Wed, 20 Feb 2013 12:13:39 +0100 From: Paul Schenkeveld To: Damien Fleuriot Subject: Re: Chicken and egg, encrypted root FS on remote server Message-ID: <20130220111339.GA65661@psconsult.nl> References: <20130220065810.GA25027@psconsult.nl> <20130220074655.GA59952@psconsult.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2013 11:13:46 -0000 On Wed, Feb 20, 2013 at 09:47:36AM +0100, Damien Fleuriot wrote: > > On 20 Feb 2013, at 08:46, Paul Schenkeveld wrote: > > > On Wed, Feb 20, 2013 at 02:42:57AM -0500, Jason Hellenthal wrote: > >> Just a thought with no working example but… > >> > >> bootp / tftp - from a remote secured management frame to TX a key filesytem to unlock your rootfs. > >> > >> Could be something as simple as a remote wireless adhoc server with a 64GB thumbdrive to hold your data or just enough to tell the system where to get it. > >> > >> Considering a key can be any length string of a sort just to say but... Serve the rootfs key directly from a TXT out of a secured DNS zone only visible to so said machines. > > > > Thank you but manual entry of the passprase is a prerequisite here so > > serving the key automatically is not an option. > > > > With kind regards, > > > > Paul Schenkeveld > > > > What about getting a remote console like HP's ILO or Dell's DRAC ? > > You get to login remotely, you can use some degree of access control... you can even remote boot. For new hardware I could indeed use this, the current hardware does not support remote console. I don't have experience with ILO nor DRAC but I do have experience with SuperMicro's KVM over LAN which does need a java client to run. If I can enter the passphrase over ssh that would be better as I can use any device including a smartphone to dial in and enter the passphrase. Thanks!