[dm-crypt] LUKS disk encryption with remote boot authentication

Ralf Ramsauer ralf+dm at ramses-pyramidenbau.de
Tue Oct 14 14:42:05 CEST 2014


Hi,

I don't know any stock setup like this. But that doesn't imply, that it
is impossible.

What do you actually hope to gain from it?
I *suppose* you want to remotely obtain the key because you don't want
to type any passphrases onto a headless setup.

Sure, using a initrd, playing around with it a bit will probably solve
your problem, but keep in mind, that your Raspberry should authenticate
against the "key-server" (e.g. using a certificate) when using a TLS
connection.
During the bootup process, the Raspberry needs to have access to that
certificate. So if someone has physical access to your device, he can
steal your certificate and steal your passphrase.

Maybe it would be better to use a USB flash drive containing a keyfile.
During the bootup, you stick in the flash drive, afterwards you can
remove it and keep it at some secret place :-)

Cheers
  Ralf

On 10/14/14 14:42, Cpp wrote:
> Hello,
>
> I'm interested in a solution for devices with LUKS disk encryption
> that use a remote server to securely obtain a decryption key upon
> boot. Let me elaborate: Suppose I have an embedded device i.e.
> Raspberry Pi with an external USB HDD or maybe a Cubieboard with a
> SATA-attached disk. The rootfs is located on an encrypted partition on
> the disk that has to be decrypted before the OS can boot. The boot
> partition is located on an unencrypted NAND/SD partition.
>
> Normally a modern linux distro will ask the user to type in the
> password via a keyboard upon boot, if disk encryption is being used. I
> am however interested in setups where this decryption key is obtained
> securely (TLS?) from a remote (secure) server via LAN.
>
> Are there any known setups like this that I can take a look at?
>
> Kind regards!
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt



More information about the dm-crypt mailing list