Date: Mon, 25 Nov 2019 16:18:42 +0100 From: Evilham <contact@evilham.com> To: Paul Florence <perso@florencepaul.com> Cc: freebsd-questions@freebsd.org Subject: Re: Geli password over network strategies Message-ID: <f47b303b-cc2a-4aab-8877-2b24336e5031@yggdrasil.evilham.com> In-Reply-To: <9dd8e65a-afdd-514f-0dc0-6bb60b9faaab@florencepaul.com> References: <4ac6ee31-ab05-97f6-da4b-c2d798651fdf@florencepaul.com> <9dd8e65a-afdd-514f-0dc0-6bb60b9faaab@florencepaul.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On dl., nov. 25 2019, Paul Florence via freebsd-questions wrote: > Hello everyone, > > I am currently running a home-made server with 12.0-RELEASE-p10 > using > full disk geli encryption. When I boot the server, I first have > to type > a password to decrypt the whole system. > > However, my ISP is having some power issues and in the last few > weeks I > had to go there quite a few times to type a passphrase. > > I would like now to be able to enter my passphrase over the > network. > > Would the following boot process be possible ? > > 1. First boot from an unencrypted kernel from a USB stick. > > 2. Then start an SSH server. > > 3. Input my passphrase over an ssh terminal. > > 4. Use the provided passphrase as the geli secret to boot the OS > from > the disk > > If no, has anyone had to deal with this kind of problem ? If so, > what > kind of strategy did you decide to use ? > > Thanks, Hi Paul, I'm don't think what you mention works as it is, but is close enough to what I've done and does work: I hope you are aware of the security downsides of doing this, I think it does look like the kind of trade-off you need. - There is an unencrypted FreeBSD (caveat: kernel must match that of the encrypted system, care when upgrading) - System boots into that unencrypted FreeBSD - I access that unencrypted system over SSH - Encrypted system is unlocked - reboot -r is used to boot into that system (man reboot explains that quite well) I use ZFS and a simple unlock script that is at the end of this message (the unencrypted pool is called "init" as opposed to "zroot"), but you should be able to do sth similar with e.g. UFS (man reboot has a very basic example). Also: I do think this use-case could be made easier but haven't tried to hack into the installer (yet). Apparently I am not alone, see the feedback bits towards the end of the episode: https://www.bsdnow.tv/319 Hope this helps, cheers. -- Evilham #!/bin/sh # Setup variables partition="ada0p4" zfs_pool="zroot" # Unlock encrypted system geli attach ${partition} || exit # Import pool without mounting only if needed. # If pool is already imported, this does nothing. zpool status ${zfs_pool} > /dev/null 2>&1 || zpool import -Nf -R /mnt ${zfs_pool} # Get bootfs bootfs=$(zpool get -H -o value bootfs ${zfs_pool}) # See FreeBSD bug 210721 zpool export ${zfs_pool} # Setup root file system echo kenv "vfs.root.mountfrom=zfs:${bootfs}" echo # Reboot into decrypted system reboot -r
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f47b303b-cc2a-4aab-8877-2b24336e5031>