Hi Cpp, Am 14.10.2014 um 13:42 schrieb Cpp: > I'm interested in a solution for devices with LUKS disk encryption > that use a remote server to securely obtain a decryption key upon > boot. Let me elaborate: Suppose I have an embedded device i.e. > Raspberry Pi with an external USB HDD or maybe a Cubieboard with a > SATA-attached disk. The rootfs is located on an encrypted partition on > the disk that has to be decrypted before the OS can boot. The boot > partition is located on an unencrypted NAND/SD partition. > > Normally a modern linux distro will ask the user to type in the > password via a keyboard upon boot, if disk encryption is being used. I > am however interested in setups where this decryption key is obtained > securely (TLS?) from a remote (secure) server via LAN. > > Are there any known setups like this that I can take a look at? Debian and Ubuntu cryptsetup packages (at least, I don't know about other distributions) support remote unlocking in initramfs. It works the following way: the dropbear ssh server ist started in initramfs, you ssh into the initramfs and unlock the root partition, afterwards the boot process is continued. See section 8. of README.Debian in the distribution packages[1] for further information. Cheers, jonas [1] or: here http://sources.debian.net/src/cryptsetup/2:1.6.6-2/debian/README.Debian/#L202 _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
