[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???

On Wed, Sep 26, 2018 at 06:14:42PM +0200, deloptes wrote:
so how can we do it with initram and without some external key server?
Imagine I have only boot not encrypted on the server.
I want to boot the machine and get a prompt via SSH or something like SSH,
where I can type in the password and decrypt root and all other volumes.
I do not want to store password or anything sensitive in the boot directory.
I can imagine one time ssh created when you try to login, but it is still
not secure enough.

What you describe is exactly how the dropbear/initramfs integration
works. The data stored in /boot is the initramfs, and within that, the
only material you might consider sensitive is an SSH server keypair
(public&private) for the SSHD instance in the initramfs environment -
this does not need to be the same as for your running system; and an
authorized_keys file, containing your SSH *public* key. Are those too
sensitive for you?

I suspect you could probably do without the SSHD public/private keypair
and have the initramfs environment generate a new pair each time, but
then you'd have no chain of trust for connecting to it; so you have to
weigh up those two scenarios.


⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.

Reply to: