[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: systemd, headless, SSH, manual decryption

On 06/23/2015 06:52 PM, Christian Seiler wrote:
> On 06/23/2015 12:59 PM, Erwan David wrote:
>> Note that I use policy-rc.d to check whether the encrypted disk is
>> mounted for the daemons that need it (it allows not to change the init
>> files)
> That works? policy-rc.d should only affect invoke-rc.d, which shouldn't
> be relevant at boot, but only in maintainer scripts. (AFAIK at least.)
>> For what I need to know : I have a headless machine with an encrypted disk.
>> I cannot ask the password on console, so
>> 1) at boot I do not mount the encrypted disk, and start a minimal set
>> of daemons, among them the ssh daemon.
>> 2) I ssh to the machine then mount encrypted disk and start remaining
>> daemons.
>> How can I do this with systemd ?
> This is a great question because it presents a nice little problem that
> covers quite a few of topics regarding systemd. I've sat down and
> solved your little problem from a systemd perspective, and hopefully my
> solution will help you in understanding how systemd works.

In case anybody is interested: since I've put quite a bit of work into
implementing / testing this, I've now written it up as a blog post
(typeset better than an email). I've also put in a couple of links,
and especially also mentioned that ideally, one would want to do this
from the initrd and not from a running systemd, see [1] for example.
Still, since it tackles a couple of systemd concepts and how they
interact with each other, it could be useful just for furthering
understanding, so here it is:



[1] https://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/
(Even though the URL says Wheezy, it's been updated to also support

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: