Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???

To: debian-user@lists.debian.org
Subject: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
From: deloptes <deloptes@gmail.com>
Date: Wed, 26 Sep 2018 18:14:42 +0200
Message-id: <[🔎] pogb4g$dug$1@blaine.gmane.org>
Reply-to: deloptes@gmail.com
References: <[🔎] jwvo9d0feb7.fsf-monnier+gmane.linux.debian.user@gnu.org> <[🔎] 21b71f22-b81b-11e8-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] Bebc0KKbGfDkmknpZG_kWBpopEpP_bQJxmtOxws2v0o5-Ld2JGH9GznpN9ZQu13_kUuOw6cMxdAJmezjgIxcMKew2JekXpIC82V0pmE5sHA=@mattcrews.com> <[🔎] ca3cbcd6-a1d4-09d2-aff9-ad389884b3c8@plouf.fr.eu.org> <[🔎] lCK9MWRoxKTvcY-qN_89LgF4efdx7L7W4YiwFhE5aq2AwvWR95_-ztA7jhieunl2Lp0H-TYvMzDC04YeIklIPpT-B7gp-j-5UxwOcOtxzS0=@mattcrews.com> <[🔎] 2a2a59ac-2704-5a1f-1d8e-ef5f7cd86fc0@plouf.fr.eu.org> <[🔎] ffad641d-46b7-9378-77e8-cb399ac2e5a1@affinityvision.com.au> <[🔎] pnjupl$irj$1@blaine.gmane.org> <[🔎] 20180915223936.GI4569@bitfolk.com> <[🔎] f017f9d2-036f-3c7a-1ce5-cccdb13c3fdc@plouf.fr.eu.org> <[🔎] 20180919025753.GG4569@bitfolk.com> <[🔎] CAAKASGwKSWCJ4PEjB73+Yyrx_HEeU2z21yukUwbLAMFpv6v1GQ@mail.gmail.com>

Igor Cicimov wrote:

> An example for automation with AWS using SSM and KMS services
>
https://icicimov.github.io/blog/server/LUKS-with-AWS-SSM-and-KMS-in-Systemd/
> It can be modified for initramfs.

so how can we do it with initram and without some external key server?
Imagine I have only boot not encrypted on the server.
I want to boot the machine and get a prompt via SSH or something like SSH,
where I can type in the password and decrypt root and all other volumes.
I do not want to store password or anything sensitive in the boot directory.
I can imagine one time ssh created when you try to login, but it is still
not secure enough.
Can you help with some thoughts on how to implement it?

thanks

Reply to:

Follow-Ups:
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Jonathan Dowland <jmtd@debian.org>

References:
- Re: ext2 for /boot ???
  - From: Stefan Monnier <monnier@iro.umontreal.ca>
- Re: ext2 for /boot ???
  - From: Michael Stone <mstone@debian.org>
- Re: ext2 for /boot ???
  - From: Matthew Crews <mailinglists@mattcrews.com>
- Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: ext2 for /boot ???
  - From: Matthew Crews <mailinglists@mattcrews.com>
- Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>
- Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andy Smith <andy@strugglers.net>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andy Smith <andy@strugglers.net>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Igor Cicimov <icicimov@gmail.com>

Prev by Date: Re: Forgotten MATE tools
Next by Date: Re: Forgotten MATE tools
Previous by thread: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
Next by thread: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
Index(es):
- Date
- Thread