-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonas Meurer <jonas@xxxxxxxxxxxxxxx> writes: > On 16/09/2009 Niall Murphy wrote: >> We provide a computer that acts as a server for our customers, who >> have no physical interaction with the machine. >> We need the data on this machine to be decrypted as it is needed by >> a number of services on-the-fly. >> As we need to provide automatica authentication we either need to: >> >> Keep the parts of the filesystem required to boot up and allow an >> OpenVPN ssh session - permanently decrypted - so that we can >> remotely authenticate. > [...] > in case that the root partition should be encrypted, you'll need to > start a minimal ssh daemon in the initramfs in order to login > remotely and unlock the root partition before the root filesystem is > mounted. (WARNING: SHAMELESS PLUG) More convenient would be to use the Mandos program[1], which runs as a small client program in the initramfs and retrieves the password to unlock the root disk from a server on the network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key; each client has one unique to it. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally. This allows computers with encrypted root file systems to be capable of remote and, more importantly, UNATTENDED reboots. The package is available in both Debian unstable and Ubuntu. 1) http://www.fukt.bsnet.se/mandos /Teddy Hogeborn, Mandos-co-author and -maintainer - -- The Mandos Project http://www.fukt.bsnet.se/mandos -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFKuKXGOWBmT5XqI90RApvWAJ42QpB01kmKCnKLsGJJNUz4b6iiiwCfRUTX rJBx9MWCXOwlpXJ9opuckAs= =W3bG -----END PGP SIGNATURE----- _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt