http://bugzilla.opensuse.org/show_bug.cgi?id=1141868 Bug ID: 1141868 Summary: support LUKS unlock via SSH (package: dracut-crypt-ssh) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: openSUSE Factory Status: NEW Severity: Enhancement Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: kolAflash@kolAhilft.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Please enable booting remote machines with encrypted root partitions. The common way to do this, is to include a minimal ssh/dropbear server into initrd. Debian has a very well working package for this: https://packages.debian.org/buster/dropbear-initramfs And there is an existing dracut-crypt-ssh module. (openSUSE uses dracut as initrd system) https://github.com/dracut-crypt-ssh/dracut-crypt-ssh Additionally the dropbear package is needed. https://build.opensuse.org/package/show/network/dropbear The only problem for using dracut-crypt-ssh on openSUSE-15.1 is, that the openSUSE initrd currently sets the network interface IPs AFTER the LUKS opening is needed. (based on the "rd.neednet=1 ip=dhcp") Note: There's a dirty workaround in the GitHub issue. Maybe this is related to this NFS-root problem!? https://bugzilla.opensuse.org/show_bug.cgi?id=1137104 Additionally, a minor patch may be nessessary. (unknown why the patch is needed) https://build.opensuse.org/package/show/home:duge_at_pre-sense_de/dracut-cry... Encryption mode node: dracut-crypt-ssh only works if the boot partition is unencrypted. But that's OK for me! dracut-crypt-ssh won't work if GRUB is decrypting LUKS, which currently seems to be the openSUSE-15.1 default for encrypted setups. But you can easily setup an openSUSE-15.1 system with an encrypted boot partition. Security note: Surely unlocking via SSH isn't free of security implications. But in scenarios where booting without a local user is necessary, this increases the security compared to an unencrypted root partition. (e. g. when the disk becomes defect and may not be deleted easily anymore, but a competent and persevering attacker may be able to recover data when the disk is found in the trash) -- You are receiving this mail because: You are on the CC list for the bug.