From owner-freebsd-questions@freebsd.org Wed Jun 17 08:39:14 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3478B347C77 for ; Wed, 17 Jun 2020 08:39:14 +0000 (UTC) (envelope-from perso@florencepaul.com) Received: from mx-out-01.sud-ouest2.org (mx-out-01.sud-ouest2.org [87.98.220.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-out-01.sud-ouest2.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49mz4x2qdfz4Tv5 for ; Wed, 17 Jun 2020 08:39:13 +0000 (UTC) (envelope-from perso@florencepaul.com) Received: by mx-out-01.sud-ouest2.org (Postfix, from userid 112) id CBCAD552E60C8; Wed, 17 Jun 2020 10:39:05 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 mx-out-01.sud-ouest2.org CBCAD552E60C8 Received: from localhost (localhost [127.0.0.1]) by mail.sud-ouest2.org (Postfix) with ESMTP id 7023B101D067D7; Wed, 17 Jun 2020 10:39:02 +0200 (CEST) Received: from mail.sud-ouest2.org ([127.0.0.1]) by localhost (mail.sud-ouest2.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id PfFO-1HSGxMK; Wed, 17 Jun 2020 10:38:59 +0200 (CEST) From: Paul Florence Subject: Re: Geli password over network strategies To: Evilham Cc: freebsd-questions@freebsd.org References: <4ac6ee31-ab05-97f6-da4b-c2d798651fdf@florencepaul.com> <9dd8e65a-afdd-514f-0dc0-6bb60b9faaab@florencepaul.com> Message-ID: Date: Wed, 17 Jun 2020 10:38:58 +0200 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 49mz4x2qdfz4Tv5 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.96 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.96)[-0.957]; R_DKIM_ALLOW(-0.20)[florencepaul.com:s=dkim]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:87.98.220.64:c]; NEURAL_HAM_LONG(-1.01)[-1.011]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[florencepaul.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[florencepaul.com,quarantine]; NEURAL_HAM_SHORT(-1.00)[-0.997]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:16276, ipnet:87.98.128.0/17, country:FR]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Jun 2020 08:39:14 -0000 It has been a few month now since this message, however I have been able to successfully use your script with minor modifications. To sum it up : 1) Boot on a FreeBSD USB stick running the same kernel as the one installed on the server drive 2) Fetch encryption.key through sftp (or mount your bootpool) 3) Use your script to mount everything plus the bootpool which is needed because the file "/boot/zfs/zpool.cache" seems to be needed to mount everything correctly at boot time. 3) Reboot Since the live system is on a USB key, I set the usb zfs pool (zroot_usb) to be read-only to avoid unwanted modifications (which could lock me out of my box in case of reboot) and extra wear on the flash cells. However I have a strange behavior that I do not understand. It seems that the (zroot_usb zfs pool persists after the reboot and I can't find a way to disable it. Moreover, it is extra-confusing because it looks like I have two pools mounted at the same mountpoints. The system works mostly fine, but "pkg update" fails because /tmp is too small. I tried to unmount zroot_usb using "zpool export", however since the file system is in use, the pool is busy. Here is the output of "zfs get mounted" : NAME                    PROPERTY  VALUE    SOURCE bootpool                mounted   yes      - zroot                   mounted   yes      - zroot/ROOT              mounted   no       - zroot/ROOT/default        mounted   yes      - zroot/ROOT/default@bk1  mounted   -        - zroot/tmp               mounted   yes      - zroot/usr               mounted   no       - zroot/usr/home          mounted   yes      - zroot/usr/ports         mounted   yes      - zroot/usr/src           mounted   yes      - zroot/var               mounted   no       - zroot/var/audit         mounted   yes      - zroot/var/crash         mounted   yes      - zroot/var/log           mounted   yes      - zroot/var/mail          mounted   yes      - zroot/var/tmp           mounted   yes      - zroot_usb               mounted   no       - zroot_usb/ROOT          mounted   no       - zroot_usb/ROOT/default    mounted   no       - zroot_usb/tmp            mounted   yes      - zroot_usb/usr            mounted   no       - zroot_usb/usr/home       mounted   yes      - zroot_usb/usr/ports       mounted   yes      - zroot_usb/usr/src         mounted   yes      - zroot_usb/var            mounted   no       - zroot_usb/var/audit       mounted   yes      - zroot_usb/var/crash       mounted   yes      - zroot_usb/var/log         mounted   yes      - zroot_usb/var/mail        mounted   yes      - zroot_usb/var/tmp        mounted   yes      - Do you have any idea how to prevent the system to auto-import this pool on startup ? I still need the pool to be auto-imported when booting from the USB disk kernel. Apart from this issue, I am quite satisfied with this setup : if someone were to steal my box they would not be able to decrypt the drive. Yet, it is still possible to replace the USB key with a malicious one recording the password, but this is not really part of my threat model. Secure boot might be able to mitigate this attack but from what I understand it is not yet production ready for FreeBSD. Please note that I am no FreeBSD expert, and everything written are assumptions based from what I understand of the documentation, feel free to correct me if I misunderstood something. On 25/11/2019 16:18, Evilham wrote: > On dl., nov. 25 2019, Paul Florence via freebsd-questions wrote: > >> Hello everyone, >> >> I am currently running a home-made server with 12.0-RELEASE-p10 using >> full disk geli encryption. When I boot the server, I first have to type >> a password to decrypt the whole system. >> >> However, my ISP is having some power issues and in the last few weeks I >> had to go there quite a few times to type a passphrase. >> >> I would like now to be able to enter my passphrase over the network. >> >> Would the following boot process be possible ? >> >> 1. First boot from an unencrypted kernel from a USB stick. >> >> 2. Then start an SSH server. >> >> 3. Input my passphrase over an ssh terminal. >> >> 4. Use the provided passphrase as the geli secret to boot the OS from >> the disk >> >> If no, has anyone had to deal with this kind of problem ? If so, what >> kind of strategy did you decide to use ? >> >> Thanks, > > > Hi Paul, > > I'm don't think what you mention works as it is, but is close enough > to what I've done and does work: > > I hope you are aware of the security downsides of doing this, I think > it does look like the kind of trade-off you need. > > - There is an unencrypted FreeBSD (caveat: kernel must match that  of > the encrypted system, care when upgrading) > - System boots into that unencrypted FreeBSD > - I access that unencrypted system over SSH > - Encrypted system is unlocked > - reboot -r is used to boot into that system (man reboot explains >  that quite well) > > I use ZFS and a simple unlock script that is at the end of this > message (the unencrypted pool is called "init" as opposed to "zroot"), > but you should be able to do sth similar with e.g. UFS (man reboot has > a very basic example). > > Also: I do think this use-case could be made easier but haven't tried > to hack into the installer (yet). Apparently I am not alone, see the > feedback bits towards the end of the episode: https://www.bsdnow.tv/319 > > Hope this helps, cheers. > -- Evilham > > > #!/bin/sh > > # Setup variables > partition="ada0p4" > zfs_pool="zroot" > > # Unlock encrypted system > geli attach ${partition} || exit > > # Import pool without mounting only if needed. > # If pool is already imported, this does nothing. > zpool status ${zfs_pool} > /dev/null 2>&1 || zpool import -Nf -R /mnt > ${zfs_pool} > > # Get bootfs > bootfs=$(zpool get -H -o value bootfs ${zfs_pool}) > > # See FreeBSD bug 210721 > zpool export ${zfs_pool} > > # Setup root file system > echo > kenv "vfs.root.mountfrom=zfs:${bootfs}" > echo > > # Reboot into decrypted system > reboot -r