Re: systemd, headless, SSH, manual decryption

To: debian-user@lists.debian.org
Subject: Re: systemd, headless, SSH, manual decryption
From: Erwan David <erwan@rail.eu.org>
Date: Sun, 28 Jun 2015 20:06:39 +0200
Message-id: <[🔎] 20150628180639.GA31695@rail.eu.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 559032E3.7040604@iwakd.de>
References: <[🔎] 1593048.jWx3lSEsNp@strata> <[🔎] 5588549B.8050909@zen.co.uk> <[🔎] 20150622190900.GB2039@rail.eu.org> <[🔎] 20150622194623.GA1992991@phare.normalesup.org> <[🔎] 20150623064639.GC2039@rail.eu.org> <[🔎] 20150623100457.GA26303@chew.redmars.org> <[🔎] 20150623105934.GD2039@rail.eu.org> <[🔎] 55898ED4.9010809@iwakd.de> <[🔎] 559032E3.7040604@iwakd.de>

On Sun, Jun 28, 2015 at 07:46:11PM CEST, Christian Seiler <christian@iwakd.de> said:
> On 06/23/2015 06:52 PM, Christian Seiler wrote:
> > On 06/23/2015 12:59 PM, Erwan David wrote:
> >> Note that I use policy-rc.d to check whether the encrypted disk is
> >> mounted for the daemons that need it (it allows not to change the init
> >> files)
> > 
> > That works? policy-rc.d should only affect invoke-rc.d, which shouldn't
> > be relevant at boot, but only in maintainer scripts. (AFAIK at least.)
> > 
> >> For what I need to know : I have a headless machine with an encrypted disk.
> >> I cannot ask the password on console, so
> >> 1) at boot I do not mount the encrypted disk, and start a minimal set
> >> of daemons, among them the ssh daemon.
> >>
> >> 2) I ssh to the machine then mount encrypted disk and start remaining
> >> daemons.
> >>
> >> How can I do this with systemd ?
> > 
> > This is a great question because it presents a nice little problem that
> > covers quite a few of topics regarding systemd. I've sat down and
> > solved your little problem from a systemd perspective, and hopefully my
> > solution will help you in understanding how systemd works.
> 
> In case anybody is interested: since I've put quite a bit of work into
> implementing / testing this, I've now written it up as a blog post
> (typeset better than an email). I've also put in a couple of links,
> and especially also mentioned that ideally, one would want to do this
> from the initrd and not from a running systemd, see [1] for example.
> Still, since it tackles a couple of systemd concepts and how they
> interact with each other, it could be useful just for furthering
> understanding, so here it is:
> 
> https://blog.iwakd.de/headless-luks-decryption-via-ssh
> 
> Christian
> 
> [1] https://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/
> (Even though the URL says Wheezy, it's been updated to also support
> Jessie.)
> 


Thanks. I did not yet have the opportunity to test (I am on holiday on a phone), I keep your blog address.

Reply to:

References:
- Change systemd to not be default in Stretch
  - From: "Zebediah C. McClure" <zmc@ensistech.com>
- Re: Change systemd to not be default in Stretch
  - From: Martin Read <zen75502@zen.co.uk>
- Re: Change systemd to not be default in Stretch
  - From: Erwan David <erwan@rail.eu.org>
- Re: Change systemd to not be default in Stretch
  - From: Nicolas George <george@nsup.org>
- Re: Change systemd to not be default in Stretch
  - From: Erwan David <erwan@rail.eu.org>
- Re: Change systemd to not be default in Stretch
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: Change systemd to not be default in Stretch
  - From: Erwan David <erwan@rail.eu.org>
- systemd, headless, SSH, manual decryption (was: Re: Change systemd to not be default in Stretch)
  - From: Christian Seiler <christian@iwakd.de>
- Re: systemd, headless, SSH, manual decryption
  - From: Christian Seiler <christian@iwakd.de>

Prev by Date: Re: USB keyboard unreliable since dist-upgrade on 1st of June
Next by Date: Re: CUPS is just killing me
Previous by thread: Re: systemd, headless, SSH, manual decryption
Next by thread: Re: Change systemd to not be default in Stretch
Index(es):
- Date
- Thread