From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dennis@basis.uklinux.net>
Received: from mail3.uklinux.net (mail3.uklinux.net [80.84.72.33])
	by mail.saout.de (Postfix) with ESMTP
	for <dm-crypt@saout.de>; Mon, 18 Jan 2010 05:31:27 +0100 (CET)
Date: Mon, 18 Jan 2010 04:31:26 +0000
Message-ID: <20100118043126.GA6523@basis.uklinux.net>
References: <4B53D741.2080603@kdzbn.homelinux.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4B53D741.2080603@kdzbn.homelinux.net>
From: dennis@basis.uklinux.net (Dennis Furey)
Subject: Re: [dm-crypt] [PATCH] Network passphrase reading
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Bryan Kadzban <cryptsetup@kdzbn.homelinux.net>
Cc: dm-crypt@saout.de

On Sun, Jan 17, 2010 at 07:36:33PM -0800, Bryan Kadzban wrote:
> 
> So with a couple of changes to the initramfs, and the attached patch
> (against current SVN), I could send the passphrase over the network
> instead of typing it in.
...
> Comments?

Apologies if this is well known already, but have a look at
http://www.debian-administration.org/articles/579, which claims to
solve this problem by embedding a lightweight ssh server in the
initramfs, and allows either local or remote booting without sending
the passphrase in clear text. It doesn't appear to require any source
code modifications to cryptsetup.

I for one would be very interested in a standard solution that would
be applicable to remotely hosted dedicated servers.