On 7/31/23 00:24, J Leslie Turriff wrote:
Or am I missing something? Is there another protection mechanism before the disk is unlocked? I help run a few community servers for our local makerspace here, and auto- unlocking of encrypted drives using TPM 2.0 would allow me to remotely manage an encrypted filesystem setup. Since the normal procedure would be for me to ask someone on the other side of the island to help key in the passphrase every time I need to reboot the server. I set up a few remotely managed servers by moving all of the important data to LUKS encrypted filesystems. These filesystems aren't in /etc/fstab so they don't get mounted after a reboot. Once rebooted I remotely SSH in and run a script that mounts the encrypted filesystem that prompts for the password. It then starts the appropriate daemons (Postgresql, etc) and everything is fine. I know there's a possibility of data leakage via /tmp and swap, but I think the risk is minimal and the servers are in a protected space anyway. I wonder if swap and /tmp could be encrypted
On 7/30/23 17:39, Chan Ju Ping wrote: this way too, it might be fun to fiddle with it someday? If you use the same LUKS passphrase for the encrypted partitions, grub will
On 2023-07-30 20:39:14 Lew Wolfgang wrote: try the first one entered on each of them. I use this method to automagically decrypt my /var and /tmp partitions at bootup; I only need to enter the passphrase once. (Encrypted password partitions, of course, should have separate passphrases.) You can do the same with the swap partitions, or tell the OS to encrypt your swap partitions with a key generated by /dev/random.
In fact, rereading the announcement in https://en.opensuse.org/SDB:Encrypted_root_file_system#Setup_LUKS2_partition..., I see that it is capable of handling encrypted swap and other encrypted partitions as well (as long as their keys are all the same), so yes, you can already do this (once the new features are installed in your system).
Leslie
So the basic idea is to set up a server so that it partially boots, but boots far enough to set up the network and start the SSH daemon. Then, log in remotely to finish the rest of the boot after entering the LUKS password. Could something like this be added to the Leap install process to make it easier to set up?
Regards, Lew Thanks for the pointers, Leslie. But grub needs to get the secret from somewhere, either TPM or to prompt for it. That's the problem with remotely managed systems without TPM, grub can't get the secret.
If grub could start the network stack and kick off sshd to prompt for a remotely supplied secret I'd be happy. But I don't think it can do that without knowledge of encrypted network configuration. Maybe it could get the secret to boot up the core operating system, including /tmp and swap, from TPM, then the administrator could login via ssh and supply the secret to decrypt the rest of the system and start the required daemons? I'd rather not let the system boot up completely by itself, I think it's a security threat, plus the servers don't have TPM anyway. Regards, Lew