Re: encrypted root fs on a slug and crypto-modules
On Sat, 22 Mar 2008, Anders Lennartsson wrote:
> > On Tue, 11 Mar 2008 at 07:13:41 +0100, Admir Trakic <firstname.lastname@example.org> wrote:
> > Anders,
> > Is there any way to incoporate this hint:
> > http://www.debian-administration.org/articles/579 where usage of
> > serial port would be avoided?
> > ;-)
> After browsing the howto slightly my guess is that it would work.
> Busybox is available (in fact it is already in the initrd image) for
> the arm and so is dropbear. One concern is the available size on the
> flash in the NSLU2. Dropbear is a bit above 500 kB installed, but not
> all of it needs to be in the initrd image. I think it would fit.
Here is an alternative approach.
1. Have an un-encrypted small bootable file system which
contains the encrypted key for booting the real
file-system and has ssh/dropbear installed. This
file system is mounted "read-only" a la Live-CD's.
2. The sysadmin logs in via ssh and runs "kexec" to boot
the real-file system. The key for the real file-system
is given as a command line parameter to "kexec" (after
the sysadmin has de-crypted it).