Dennis Furey wrote: > On Sun, Jan 17, 2010 at 07:36:33PM -0800, Bryan Kadzban wrote: >> So with a couple of changes to the initramfs, and the attached >> patch (against current SVN), I could send the passphrase over the >> network instead of typing it in. > ... >> Comments? > > Apologies if this is well known already, It was not; thanks! > but have a look at http://www.debian-administration.org/articles/579, > which claims to solve this problem by embedding a lightweight ssh > server in the initramfs, Hmm. That's definitely a hack and a half. :-P Especially the way it kills the cryptroot_block script, and requires two separate inputs at runtime if you are present. Making this choice for you is exactly what select() is for... :-) But yeah; an alternate generic select()able FD (in addition to /dev/tty) would allow this to work mostly-unmodified; you could log into SSH and just echo the passphrase into the write end of a named pipe, or configure sshd to dump the data it receives into the pipe (similar to what it does with sftp-server, with a different subsystem -- though that may not work with dropbear). Then provide the read end of that pipe to cryptsetup on the secondary FD. Here it looks like you have to log in and run the "unlock" script (which runs cryptsetup and then kills the _block script). I was hoping for a one-liner. ...Although actually, "ssh root@<ip> unlock" is a one-liner; hmm. (Though I don't use Debian, I could hack this approach into the initramfs setup I do have.) > I for one would be very interested in a standard solution that would > be applicable to remotely hosted dedicated servers. Yeah, or any box that you don't happen to have physical access to, but need to (re)boot. _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
