From owner-freebsd-questions@freebsd.org Mon Nov 25 15:23:19 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5B91F1B02AC for ; Mon, 25 Nov 2019 15:23:19 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47M9ln5rJdz4XwF for ; Mon, 25 Nov 2019 15:23:17 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from r56.edvax.de ([188.102.96.95]) by mrelayeu.kundenserver.de (mreue009 [212.227.15.167]) with ESMTPA (Nemesis) id 1MtfRv-1hgLUu2gkJ-00vAUz; Mon, 25 Nov 2019 16:23:11 +0100 Date: Mon, 25 Nov 2019 16:23:09 +0100 From: Polytropon To: Paul Florence Cc: Paul Florence via freebsd-questions Subject: Re: Geli password over network strategies Message-Id: <20191125162309.e5d9d275.freebsd@edvax.de> In-Reply-To: <9dd8e65a-afdd-514f-0dc0-6bb60b9faaab@florencepaul.com> References: <4ac6ee31-ab05-97f6-da4b-c2d798651fdf@florencepaul.com> <9dd8e65a-afdd-514f-0dc0-6bb60b9faaab@florencepaul.com> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K1:OE9zTJZRSg7/gxsDIBlvMURwR/5VMTSMDwIYGtrc+dt3ymC3/TZ /qNVMQXpSYD6WCYy4hzC1dh1Kjhtn5diEZEE8XYPx9z+fzwwwaGpVjumXmhs+ZztnRcgWNO /+J1v24ZzEEQKLpMld/6+o8UPujE18d03GZm0hcKx5NdxeavwjXKs23VsXfiGVJpvwpszS1 haTJC8NcENibfIhmY5pUg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:x6wSjbPq1ig=:OFgO+PbVKYNyyuA5SMbClX +yQA1ly4Y2qmFZQySJDUd8zP6q0kfOBXtzvPuSvLZEOsFDXs++1UUpsY58zJIipWtUKLzlsHP ygCFAd1Z1jtSvAXflI4k6mUa1sGVZ06swAJWBpSjJtd1lzLmjrfmmrl14/7rHAKYFRMWD2vIf 2bsEPj3MNsuBZrXNXWAYDxcSu2+KY9gpCf81Y6b9+pt3qNBIW+cZROK/q28Dcj49/0rkLvUPu fgmkoKBeyF5uZrCJ8SpAexk3XZKtUzXNCnApCeiWiftLpiM0YtdkU3euruKvJr+v2HfzHWZfN vP8va6Emve9hW12DJJZY6c7S1LLPjFtCvwYLZ7/WLZAC9nKoEWHpIkAFED41hXLw7r9R/U7tT XwntYmE9xKEGs3X7zry5LIkMv/xPclwi+XPh/KKVrz1tereujhzFD0CpTPj0Dgy+JT7kf2l0Z aenqpy1KhJDftDSavMrwMpooWR+/OAU8fYE6GxBYBiMHYAXLxbQW75AUhNKdmww1+QV1v/3ws ZH62lPXRSqYlpBNWkZVu+NEJJg5ig0rAXz+i6OXfI5aOrRYa9/NDQ8dcgPIZvbJSTNe8ftIkC rln8734YmJJ3DogoxEZkd4X8BbRUHFDXLNEIcqrwMjKA5wTN8YYMwlaW5/UEu3r5PjUhNJwPo VI+zZtBESkXkyXHMveS7ZfcdJWFEIITBBVZE7cjbYdbwfI9wPmToTFMT9YV0om9l78EUvnyjs TvsDS600X2OvmUke4A0F5BQVw99I6RB+OkpmJrN2U79MF5fKIEZ72kPhoBitLdHg8u1N8gxUJ f6fJyZY7zvKqW6QZ6DoSYCpzq1037nuC9OaWUbBaMqI9HdF8e1i3mPEnj/8uSP2a3X6grnhZT aGLc140NAPVGI9I/ZixA== X-Rspamd-Queue-Id: 47M9ln5rJdz4XwF X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd@edvax.de has no SPF policy when checking 212.227.126.134) smtp.mailfrom=freebsd@edvax.de X-Spamd-Result: default: False [4.98 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_REPLYTO(0.00)[freebsd@edvax.de]; MV_CASE(0.50)[]; HAS_ORG_HEADER(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; MIME_TRACE(0.00)[0:+]; RECEIVED_SPAMHAUS_PBL(0.00)[95.96.102.188.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; ARC_NA(0.00)[]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[edvax.de]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[0.998,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(1.00)[0.998,0]; MID_CONTAINS_FROM(1.00)[]; RCVD_IN_DNSWL_NONE(0.00)[134.126.227.212.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(0.59)[ip: (1.90), ipnet: 212.227.0.0/16(-1.24), asn: 8560(2.29), country: DE(-0.01)] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Nov 2019 15:23:19 -0000 On Mon, 25 Nov 2019 15:45:17 +0100, Paul Florence via freebsd-questions wrote: > Hello everyone, > > I am currently running a home-made server with 12.0-RELEASE-p10 using > full disk geli encryption. When I boot the server, I first have to type > a password to decrypt the whole system. > > However, my ISP is having some power issues and in the last few weeks I > had to go there quite a few times to type a passphrase. > > I would like now to be able to enter my passphrase over the network. > > Would the following boot process be possible ? > > 1. First boot from an unencrypted kernel from a USB stick. > > 2. Then start an SSH server. > > 3. Input my passphrase over an ssh terminal. > > 4. Use the provided passphrase as the geli secret to boot the OS from > the disk That would be the problem: You cannot boot one OS from another OS (heavily simplified and technically not fully correct, but still the problem remains). The core problem is that in early boot stages of the OS, no network and therefore no SSH is available. And if you _re_boot the server (to get the actual OS from the decrypted storage), the decryption will be gone as soon as you reboot... > If no, has anyone had to deal with this kind of problem ? If so, what > kind of strategy did you decide to use ? My suggestion would be to enable serial console, and have that serial console redirect to a SSH port that you can connect to. This way, the OS boots to the point where you have to enter the passphrase - now via SSH -, and boot continues, while you can always re-connect to the serial line. There are "communication servers" and solutions commonly found in datacenters that allow you to connect to a system they provide (with SSH) that allows you to interact with the serial line of your own server. See "serial over SSH". -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...