[dm-crypt] LUKS disk encryption with remote boot authentication

Arno Wagner arno at wagner.name
Tue Oct 14 15:12:36 CEST 2014


Hi Cpp,

I do not think that is conceptually possible. Sure, you could, 
for ecample, do a password-less ssh to that server to
get the passphrase and pipe that directly to cryptsetup. But 
that is not more secre than storing the pasphrase on the device 
itself in plain, unless you can remove the passphrase on the
remote server in case of issues.

Basically, you would do something like this in the initrd:

  ssh remote_server "cat keyfile_mine" | cryptsetup <device> -d -

Of course, the ssh root-user key would need to be present
in the initrd for this to work and remote_server would
need to allow password-less logins for that key. You also
have to have the host key of remote_server in the local
known_hosts file on the initrd for this to be secure.

You should also know that LUKS does not do pre-boot. What
can be done is boot the OS in a minimal configuration from an 
initrd, map the encrypted container, and then replace the
root filesystem with that one from disk. But LUKS container 
mapping always happens and must happen _after_ the kernel
has finished comming up and some minimal OS has been booted.

Arno


On Tue, Oct 14, 2014 at 13:42:54 CEST, Cpp wrote:
> Hello,
> 
> I'm interested in a solution for devices with LUKS disk encryption
> that use a remote server to securely obtain a decryption key upon
> boot. Let me elaborate: Suppose I have an embedded device i.e.
> Raspberry Pi with an external USB HDD or maybe a Cubieboard with a
> SATA-attached disk. The rootfs is located on an encrypted partition on
> the disk that has to be decrypted before the OS can boot. The boot
> partition is located on an unencrypted NAND/SD partition.
> 
> Normally a modern linux distro will ask the user to type in the
> password via a keyboard upon boot, if disk encryption is being used. I
> am however interested in setups where this decryption key is obtained
> securely (TLS?) from a remote (secure) server via LAN.
> 
> Are there any known setups like this that I can take a look at?
> 
> Kind regards!
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier


More information about the dm-crypt mailing list