Date: Mon, 25 Nov 2019 16:23:09 +0100 From: Polytropon <freebsd@edvax.de> To: Paul Florence <perso@florencepaul.com> Cc: Paul Florence via freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Geli password over network strategies Message-ID: <20191125162309.e5d9d275.freebsd@edvax.de> In-Reply-To: <9dd8e65a-afdd-514f-0dc0-6bb60b9faaab@florencepaul.com> References: <4ac6ee31-ab05-97f6-da4b-c2d798651fdf@florencepaul.com> <9dd8e65a-afdd-514f-0dc0-6bb60b9faaab@florencepaul.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 25 Nov 2019 15:45:17 +0100, Paul Florence via freebsd-questions wrote: > Hello everyone, > > I am currently running a home-made server with 12.0-RELEASE-p10 using > full disk geli encryption. When I boot the server, I first have to type > a password to decrypt the whole system. > > However, my ISP is having some power issues and in the last few weeks I > had to go there quite a few times to type a passphrase. > > I would like now to be able to enter my passphrase over the network. > > Would the following boot process be possible ? > > 1. First boot from an unencrypted kernel from a USB stick. > > 2. Then start an SSH server. > > 3. Input my passphrase over an ssh terminal. > > 4. Use the provided passphrase as the geli secret to boot the OS from > the disk That would be the problem: You cannot boot one OS from another OS (heavily simplified and technically not fully correct, but still the problem remains). The core problem is that in early boot stages of the OS, no network and therefore no SSH is available. And if you _re_boot the server (to get the actual OS from the decrypted storage), the decryption will be gone as soon as you reboot... > If no, has anyone had to deal with this kind of problem ? If so, what > kind of strategy did you decide to use ? My suggestion would be to enable serial console, and have that serial console redirect to a SSH port that you can connect to. This way, the OS boots to the point where you have to enter the passphrase - now via SSH -, and boot continues, while you can always re-connect to the serial line. There are "communication servers" and solutions commonly found in datacenters that allow you to connect to a system they provide (with SSH) that allows you to interact with the serial line of your own server. See "serial over SSH". -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191125162309.e5d9d275.freebsd>