From owner-freebsd-hackers@FreeBSD.ORG Wed Feb 20 06:58:18 2013 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id DEE7A60F for ; Wed, 20 Feb 2013 06:58:18 +0000 (UTC) (envelope-from freebsd@psconsult.nl) Received: from mx1.psconsult.nl (unknown [IPv6:2001:7b8:30f:e0::5059:ee8a]) by mx1.freebsd.org (Postfix) with ESMTP id 96A2467E for ; Wed, 20 Feb 2013 06:58:18 +0000 (UTC) Received: from mx1.psconsult.nl (mx1.hvnu.psconsult.nl [46.44.189.154]) by mx1.psconsult.nl (8.14.5/8.14.4) with ESMTP id r1K6wANo025057 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 20 Feb 2013 07:58:15 +0100 (CET) (envelope-from freebsd@psconsult.nl) Received: (from paul@localhost) by mx1.psconsult.nl (8.14.5/8.14.4/Submit) id r1K6wAox025056 for hackers@freebsd.org; Wed, 20 Feb 2013 07:58:10 +0100 (CET) (envelope-from freebsd@psconsult.nl) X-Authentication-Warning: mx1.psconsult.nl: paul set sender to freebsd@psconsult.nl using -f Date: Wed, 20 Feb 2013 07:58:10 +0100 From: Paul Schenkeveld To: hackers@freebsd.org Subject: Chicken and egg, encrypted root FS on remote server Message-ID: <20130220065810.GA25027@psconsult.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2013 06:58:18 -0000 Hi, I've been trying to find a solution for this chicken and egg problem, how to have an encrypted root filesystem on a remote server. Geli can ask for a root password at the console to unlock the root fs but that of course won't work for a remote server. Ideally I'd like the server to start, do minimal network config, run a minimal ssh client (dropbear?) and wait for someone to log in, provide the passphrase to unlock the root filesystem and then mount the root filesystem and do a normal startup. I read about a pivotroot call in other OS-es, that would allow for a very small unencrypted root filesystem to be mounted temporarily until the passphrase has been entered and then swap that for a real, encrypted root filesystem. But AFAIK we don't have pivotroot. The problem could also be solved if the real root fs could be union mounted over the small unencrypted one but unionfs won't mount over /. I found out that a ZFS pool where a specific dataset has the mountpoint=/ option set can be used to 'buri' the unencrypted root under the real root but that would render the unencrypted one unchangable after the real one is mounted (prohibiting sysadmin to change the ssh credentials or network config there). It would also make maintenance a bit more difficult because an import of the zpool would automatically remount /, even when running from a cd-rom or USB stick. And of course this approach would not work in non-zfs environments (like very small systems). Looking at sys/kern/init_main.c and sys/kern/vfs_mount.c I could imagine having a kind of "pre root environment", an unencrypted root that gets mounted first (along with a devfs) and a /sbin/init that sets up minimal networking and runs sshd. Aftre that one dies the unencrypted root and devfs would be unmounted, the real root mounted and the real /sbin/init started. But this may be a considered a dirty approach. Did I miss the obvious and easy solution? Any ideas? With kind regards, Paul Schenkeveld