Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
On Wed, Sep 26, 2018 at 06:14:42PM +0200, deloptes wrote:
so how can we do it with initram and without some external key server?
Imagine I have only boot not encrypted on the server.
I want to boot the machine and get a prompt via SSH or something like SSH,
where I can type in the password and decrypt root and all other volumes.
I do not want to store password or anything sensitive in the boot directory.
I can imagine one time ssh created when you try to login, but it is still
not secure enough.
What you describe is exactly how the dropbear/initramfs integration
works. The data stored in /boot is the initramfs, and within that, the
only material you might consider sensitive is an SSH server keypair
(public&private) for the SSHD instance in the initramfs environment -
this does not need to be the same as for your running system; and an
authorized_keys file, containing your SSH *public* key. Are those too
sensitive for you?
I suspect you could probably do without the SSHD public/private keypair
and have the initramfs environment generate a new pair each time, but
then you'd have no chain of trust for connecting to it; so you have to
weigh up those two scenarios.
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.