Re: LUKS disk encryption with remote boot authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Oct 14, 2014 at 23:16:24 CEST, Jonas Meurer wrote:
> Hi Cpp,
> 
> Am 14.10.2014 um 13:42 schrieb Cpp:
> > I'm interested in a solution for devices with LUKS disk encryption
> > that use a remote server to securely obtain a decryption key upon
> > boot. Let me elaborate: Suppose I have an embedded device i.e.
> > Raspberry Pi with an external USB HDD or maybe a Cubieboard with a
> > SATA-attached disk. The rootfs is located on an encrypted partition on
> > the disk that has to be decrypted before the OS can boot. The boot
> > partition is located on an unencrypted NAND/SD partition.
> > 
> > Normally a modern linux distro will ask the user to type in the
> > password via a keyboard upon boot, if disk encryption is being used. I
> > am however interested in setups where this decryption key is obtained
> > securely (TLS?) from a remote (secure) server via LAN.
> > 
> > Are there any known setups like this that I can take a look at?
> 
> Debian and Ubuntu cryptsetup packages (at least, I don't know about
> other distributions) support remote unlocking in initramfs. It works the
> following way: the dropbear ssh server ist started in initramfs, you ssh
> into the initramfs and unlock the root partition, afterwards the boot
> process is continued. See section 8. of README.Debian in the
> distribution packages[1] for further information.

Nice! For remotely-triggered unlocking, that is a good solution.

Arno

 
> Cheers,
>  jonas
> 
> [1] or: here
> http://sources.debian.net/src/cryptsetup/2:1.6.6-2/debian/README.Debian/#L202
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@xxxxxxxxxxx
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux