Re: Remote authentication?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jonas Meurer <jonas@xxxxxxxxxxxxxxx> writes:

> On 16/09/2009 Niall Murphy wrote:
>> We provide a computer that acts as a server for our customers, who
>> have no physical interaction with the machine.
>> We need the data on this machine to be decrypted as it is needed by
>> a number of services on-the-fly.
>> As we need to provide automatica authentication we either need to:
>> 
>> Keep the parts of the filesystem required to boot up and allow an
>> OpenVPN ssh session - permanently decrypted - so that we can
>> remotely authenticate.
>
[...]
> in case that the root partition should be encrypted, you'll need to
> start a minimal ssh daemon in the initramfs in order to login
> remotely and unlock the root partition before the root filesystem is
> mounted.

(WARNING: SHAMELESS PLUG)

More convenient would be to use the Mandos program[1], which runs as a
small client program in the initramfs and retrieves the password to
unlock the root disk from a server on the network.

All network communication is encrypted using TLS.  The clients are
identified by the server using an OpenPGP key; each client has one
unique to it.  The server sends the clients an encrypted password.
The encrypted password is decrypted by the clients using the same
OpenPGP key, and the password is then used to unlock the root file
system, whereupon the computers can continue booting normally.

This allows computers with encrypted root file systems to be capable
of remote and, more importantly, UNATTENDED reboots.

The package is available in both Debian unstable and Ubuntu.

1) http://www.fukt.bsnet.se/mandos

/Teddy Hogeborn, Mandos-co-author and -maintainer

- -- 
The Mandos Project
http://www.fukt.bsnet.se/mandos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFKuKXGOWBmT5XqI90RApvWAJ42QpB01kmKCnKLsGJJNUz4b6iiiwCfRUTX
rJBx9MWCXOwlpXJ9opuckAs=
=W3bG
-----END PGP SIGNATURE-----
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux