hey, On 16/09/2009 Niall Murphy wrote: > We provide a computer that acts as a server for our customers, who > have no physical interaction with the machine. > We need the data on this machine to be decrypted as it is needed by a > number of services on-the-fly. > As we need to provide automatica authentication we either need to: > > Keep the parts of the filesystem required to boot up and allow an > OpenVPN ssh session - permanently decrypted - so that we can remotely > authenticate. it depends on whether you want to encrypt the whole system, including root filesystem, or if encrypting the data partitions is enough. for the latter case you can ssh-login into the machine after boot, unlock the encrypted data partitions and start services manually. in case that the root partition should be encrypted, you'll need to start a minimal ssh daemon in the initramfs in order to login remotely and unlock the root partition before the root filesystem is mounted. the debian cryptsetup package supports remote unlocking of the root partition with the help of a dropbear ssh server inside the initramfs. see README.remote for more information: http://svn.debian.org/wsvn/pkg-cryptsetup/cryptsetup/trunk/debian/README.remote please note that this information is specific to the debian and ubuntu distributions. it doesn't apply if you use any other linux distribution. > or > Provide a usb key containing the secret key to our customer and read > this key when the machine boots. you already mentioned the drawbacks of this approach. greetings, jonas
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
