[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: systemd, headless, SSH, manual decryption



On Sun, Jun 28, 2015 at 07:46:11PM CEST, Christian Seiler <christian@iwakd.de> said:
> On 06/23/2015 06:52 PM, Christian Seiler wrote:
> > On 06/23/2015 12:59 PM, Erwan David wrote:
> >> Note that I use policy-rc.d to check whether the encrypted disk is
> >> mounted for the daemons that need it (it allows not to change the init
> >> files)
> > 
> > That works? policy-rc.d should only affect invoke-rc.d, which shouldn't
> > be relevant at boot, but only in maintainer scripts. (AFAIK at least.)
> > 
> >> For what I need to know : I have a headless machine with an encrypted disk.
> >> I cannot ask the password on console, so
> >> 1) at boot I do not mount the encrypted disk, and start a minimal set
> >> of daemons, among them the ssh daemon.
> >>
> >> 2) I ssh to the machine then mount encrypted disk and start remaining
> >> daemons.
> >>
> >> How can I do this with systemd ?
> > 
> > This is a great question because it presents a nice little problem that
> > covers quite a few of topics regarding systemd. I've sat down and
> > solved your little problem from a systemd perspective, and hopefully my
> > solution will help you in understanding how systemd works.
> 
> In case anybody is interested: since I've put quite a bit of work into
> implementing / testing this, I've now written it up as a blog post
> (typeset better than an email). I've also put in a couple of links,
> and especially also mentioned that ideally, one would want to do this
> from the initrd and not from a running systemd, see [1] for example.
> Still, since it tackles a couple of systemd concepts and how they
> interact with each other, it could be useful just for furthering
> understanding, so here it is:
> 
> https://blog.iwakd.de/headless-luks-decryption-via-ssh
> 
> Christian
> 
> [1] https://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/
> (Even though the URL says Wheezy, it's been updated to also support
> Jessie.)
> 


Thanks. I did not yet have the opportunity to test (I am on holiday on a phone), I keep your blog address.


Reply to: