From: Jonas Meurer <jonas@freesources.org>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] LUKS disk encryption with remote boot authentication
Date: Tue, 14 Oct 2014 23:16:24 +0200 [thread overview]
Message-ID: <543D92A8.50701@freesources.org> (raw)
In-Reply-To: <CAHeB2AnBcV3RnFc7JJ+xX7fj5NspWNBfP5-eVP4xAoUmHUUgMA@mail.gmail.com>
Hi Cpp,
Am 14.10.2014 um 13:42 schrieb Cpp:
> I'm interested in a solution for devices with LUKS disk encryption
> that use a remote server to securely obtain a decryption key upon
> boot. Let me elaborate: Suppose I have an embedded device i.e.
> Raspberry Pi with an external USB HDD or maybe a Cubieboard with a
> SATA-attached disk. The rootfs is located on an encrypted partition on
> the disk that has to be decrypted before the OS can boot. The boot
> partition is located on an unencrypted NAND/SD partition.
>
> Normally a modern linux distro will ask the user to type in the
> password via a keyboard upon boot, if disk encryption is being used. I
> am however interested in setups where this decryption key is obtained
> securely (TLS?) from a remote (secure) server via LAN.
>
> Are there any known setups like this that I can take a look at?
Debian and Ubuntu cryptsetup packages (at least, I don't know about
other distributions) support remote unlocking in initramfs. It works the
following way: the dropbear ssh server ist started in initramfs, you ssh
into the initramfs and unlock the root partition, afterwards the boot
process is continued. See section 8. of README.Debian in the
distribution packages[1] for further information.
Cheers,
jonas
[1] or: here
http://sources.debian.net/src/cryptsetup/2:1.6.6-2/debian/README.Debian/#L202
next prev parent reply other threads:[~2014-10-14 21:46 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-14 11:42 [dm-crypt] LUKS disk encryption with remote boot authentication Cpp
2014-10-14 12:42 ` Ralf Ramsauer
2014-10-14 13:12 ` Arno Wagner
2014-10-14 21:16 ` Jonas Meurer [this message]
2014-10-14 21:51 ` Arno Wagner
2014-10-15 6:49 ` Cpp
2014-10-15 11:37 ` Sam Rakowski
2014-10-17 23:47 ` Alex Elsayed
2014-10-17 23:51 ` Alex Elsayed
2014-10-18 3:37 ` Arno Wagner
2014-10-19 19:13 ` Cpp
2014-10-19 19:40 ` Ralf Ramsauer
2014-10-19 20:12 ` Arno Wagner
2014-10-19 20:59 ` Cpp
2014-10-19 22:10 ` Arno Wagner
2014-10-20 10:09 ` Sven Eschenberg
2014-10-20 13:36 ` Arno Wagner
2014-10-21 4:37 ` Alex Elsayed
2014-10-21 10:01 ` Sven Eschenberg
2014-10-21 13:46 ` Arno Wagner
2014-10-21 14:50 ` Sven Eschenberg
2014-10-21 16:18 ` Arno Wagner
2014-10-21 13:42 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=543D92A8.50701@freesources.org \
--to=jonas@freesources.org \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.