Hi, I don't know any stock setup like this. But that doesn't imply, that it is impossible. What do you actually hope to gain from it? I *suppose* you want to remotely obtain the key because you don't want to type any passphrases onto a headless setup. Sure, using a initrd, playing around with it a bit will probably solve your problem, but keep in mind, that your Raspberry should authenticate against the "key-server" (e.g. using a certificate) when using a TLS connection. During the bootup process, the Raspberry needs to have access to that certificate. So if someone has physical access to your device, he can steal your certificate and steal your passphrase. Maybe it would be better to use a USB flash drive containing a keyfile. During the bootup, you stick in the flash drive, afterwards you can remove it and keep it at some secret place :-) Cheers Ralf On 10/14/14 14:42, Cpp wrote: > Hello, > > I'm interested in a solution for devices with LUKS disk encryption > that use a remote server to securely obtain a decryption key upon > boot. Let me elaborate: Suppose I have an embedded device i.e. > Raspberry Pi with an external USB HDD or maybe a Cubieboard with a > SATA-attached disk. The rootfs is located on an encrypted partition on > the disk that has to be decrypted before the OS can boot. The boot > partition is located on an unencrypted NAND/SD partition. > > Normally a modern linux distro will ask the user to type in the > password via a keyboard upon boot, if disk encryption is being used. I > am however interested in setups where this decryption key is obtained > securely (TLS?) from a remote (secure) server via LAN. > > Are there any known setups like this that I can take a look at? > > Kind regards! > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
