From owner-freebsd-hackers@FreeBSD.ORG Wed Feb 20 07:14:24 2013 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A68BA8A8 for ; Wed, 20 Feb 2013 07:14:24 +0000 (UTC) (envelope-from yerenkow@gmail.com) Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by mx1.freebsd.org (Postfix) with ESMTP id 174E66FD for ; Wed, 20 Feb 2013 07:14:23 +0000 (UTC) Received: by mail-wi0-f178.google.com with SMTP id o1so5797429wic.5 for ; Tue, 19 Feb 2013 23:14:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=TmzhucmgjKb+IYeSigBBfO9YOK2i4D3XZwBMq9V8jic=; b=YHTRykmQCPSefNVHwLC60obVDeyHOkiVCWCe8kCPQ1uERc/wNARiTKac4mpb2ObgMJ is+j05jrLG4J3huBAv2zDZrhYRqsv0ReXQkoYSATaJI+OYy37Xq6TlZ5cDmz9iJMz7Wb lgdPGYBgXcnSVJ4jTtsrYmuE+tLYJpEHIWxYKeWp/Oc/jooCa0OpHmYvJq7Tgdvbuexc RTOmizs4s/rijUhzHccCuBtPJEgot1wm5nvJU97fQaJql/emhAxZvxbo2LRgY4Vnfgj+ ozBXKSP34Qsm0GBiy/LtmMmJG0CetAYDsLdSB1VnHr8quNv/qsLIAU5jL448p59ilv37 vpdQ== MIME-Version: 1.0 X-Received: by 10.194.172.197 with SMTP id be5mr31348690wjc.20.1361344462662; Tue, 19 Feb 2013 23:14:22 -0800 (PST) Received: by 10.194.85.116 with HTTP; Tue, 19 Feb 2013 23:14:22 -0800 (PST) In-Reply-To: <20130220065810.GA25027@psconsult.nl> References: <20130220065810.GA25027@psconsult.nl> Date: Wed, 20 Feb 2013 09:14:22 +0200 Message-ID: Subject: Re: Chicken and egg, encrypted root FS on remote server From: Alexander Yerenkow To: Paul Schenkeveld Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2013 07:14:24 -0000 2013/2/20 Paul Schenkeveld > Hi, > > I've been trying to find a solution for this chicken and egg problem, > how to have an encrypted root filesystem on a remote server. > > Geli can ask for a root password at the console to unlock the root fs > but that of course won't work for a remote server. > > Ideally I'd like the server to start, do minimal network config, run > a minimal ssh client (dropbear?) and wait for someone to log in, > provide the passphrase to unlock the root filesystem and then mount > the root filesystem and do a normal startup. > > I read about a pivotroot call in other OS-es, that would allow for a > very small unencrypted root filesystem to be mounted temporarily until > the passphrase has been entered and then swap that for a real, encrypted > root filesystem. But AFAIK we don't have pivotroot. > > The problem could also be solved if the real root fs could be union > mounted over the small unencrypted one but unionfs won't mount over /. > > I found out that a ZFS pool where a specific dataset has the > mountpoint=/ option set can be used to 'buri' the unencrypted root under > the real root but that would render the unencrypted one unchangable > after the real one is mounted (prohibiting sysadmin to change the ssh > credentials or network config there). It would also make maintenance > a bit more difficult because an import of the zpool would automatically > remount /, even when running from a cd-rom or USB stick. And of course > this approach would not work in non-zfs environments (like very small > systems). > > Looking at sys/kern/init_main.c and sys/kern/vfs_mount.c I could > imagine having a kind of "pre root environment", an unencrypted root > that gets mounted first (along with a devfs) and a /sbin/init that > sets up minimal networking and runs sshd. Aftre that one dies the > unencrypted root and devfs would be unmounted, the real root mounted > and the real /sbin/init started. But this may be a considered a dirty > approach. > > Did I miss the obvious and easy solution? Any ideas? > I'd like to propose you to see my similar setup - it's used for VMs. Idea is to have base OS in little partition, and use it only in RO. All data, and configs goes in different partitions, which could be connected manually or automatically. What you need is to specify in loader.conf init_script="/etc/find-rwfs.sh" My example: https://github.com/yerenkow/freebsd-vm-image/blob/master/freebsd-firmware/find-rwfs.sh In this way, you can get RO booted OS, just waited for you to login and mount all required data. Also, you could contact Andriy Gapon, he managed to do other trick - boot from RO media such as CD, and run all OS as chroot, all transparently. Hope this helps! > With kind regards, > > Paul Schenkeveld > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > -- Regards, Alexander Yerenkow