Hi Cpp, I do not think that is conceptually possible. Sure, you could, for ecample, do a password-less ssh to that server to get the passphrase and pipe that directly to cryptsetup. But that is not more secre than storing the pasphrase on the device itself in plain, unless you can remove the passphrase on the remote server in case of issues. Basically, you would do something like this in the initrd: ssh remote_server "cat keyfile_mine" | cryptsetup <device> -d - Of course, the ssh root-user key would need to be present in the initrd for this to work and remote_server would need to allow password-less logins for that key. You also have to have the host key of remote_server in the local known_hosts file on the initrd for this to be secure. You should also know that LUKS does not do pre-boot. What can be done is boot the OS in a minimal configuration from an initrd, map the encrypted container, and then replace the root filesystem with that one from disk. But LUKS container mapping always happens and must happen _after_ the kernel has finished comming up and some minimal OS has been booted. Arno On Tue, Oct 14, 2014 at 13:42:54 CEST, Cpp wrote: > Hello, > > I'm interested in a solution for devices with LUKS disk encryption > that use a remote server to securely obtain a decryption key upon > boot. Let me elaborate: Suppose I have an embedded device i.e. > Raspberry Pi with an external USB HDD or maybe a Cubieboard with a > SATA-attached disk. The rootfs is located on an encrypted partition on > the disk that has to be decrypted before the OS can boot. The boot > partition is located on an unencrypted NAND/SD partition. > > Normally a modern linux distro will ask the user to type in the > password via a keyboard upon boot, if disk encryption is being used. I > am however interested in setups where this decryption key is obtained > securely (TLS?) from a remote (secure) server via LAN. > > Are there any known setups like this that I can take a look at? > > Kind regards! > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
