[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

initramfs-tools / cryptoroot



Hello List,

I'm administering several linux hosts, which are all set up to boot from a
luks-encrypted partition (which partly live in LVM). I was hacked off to have
to go down to the basement and enter the passwords manually on each and every
reboot. So why not let this be managed by a central "boot server"? So I've set
up the following process:

- included sshd/dhclient3 in initrd by a hook
- on boot time, either a static ip is assigned by a boot parameter or a dynamic
one obtained by dhclient3
- sshd is started just before scripts/local-top/cryptoroot is run
- while cryptsetup waits for a password to be entered, a ssh-connection can be
made (thus being able to execute cryptsetup, vgchange etc remotely and
automated...)
- when the partition is unlocked, the cryptsetup process from cryptoroot is
just killed, booting continues (especially this part is nasty (yet) as it may
interfere with other hooks unexpectedly...)
- dhclient3/sshd are killed
- rest as usual.

The remote_unlock_via_ssh.sh script is what i use for remote unlocking. The
config files are stored gpg-encrypted, so i can safely boot root-encrypted
machines from any trusted terminal remotely.

Please let me know what you think. If you like it, I'd gladly document it further.

Cheers,

Daniel


PS: I hope binary attachments to this list are ok, please let me know your
conventions if not.

Attachment: initramfs-remoteunlock.tar.bz2
Description: Binary data


Reply to: