On 7/31/23 00:24, J Leslie Turriff wrote: 
On 2023-07-30 20:39:14 Lew Wolfgang wrote:

On 7/30/23 17:39, Chan Ju Ping wrote:

Or am I missing something? Is there another protection mechanism before
the disk is unlocked?

I help run a few community servers for our local makerspace here, and
auto- unlocking of encrypted drives using TPM 2.0 would allow me to
remotely manage an encrypted filesystem setup. Since the normal procedure
would be for me to ask someone on the other side of the island to help
key in the passphrase every time I need to reboot the server.

I set up a few remotely managed servers by moving all of the important
data to LUKS encrypted filesystems.  These filesystems aren't in /etc/fstab
so they don't get mounted after a reboot.  Once rebooted I remotely
SSH in and run a script that mounts the encrypted filesystem that prompts
for the password.  It then starts the appropriate daemons (Postgresql, etc)
and everything is fine.  I know there's a possibility of data leakage
via /tmp and swap, but I think the risk is minimal and the servers are in
a protected space anyway.


      

        
I wonder if swap and /tmp could be encrypted 
this way too, it might be fun to fiddle with it someday?


      

      
	If you use the same LUKS passphrase for the encrypted partitions, grub will 
try the first one entered on each of them.  I use this method to 
automagically decrypt my /var and /tmp partitions at bootup; I only need to 
enter the passphrase once.  (Encrypted password partitions, of course, should 
have separate passphrases.)
	You can do the same with the swap partitions, or tell the OS to encrypt your 
swap partitions with a key generated by /dev/random.

	In fact, rereading the announcement in 
https://en.opensuse.org/SDB:Encrypted_root_file_system#Setup_LUKS2_partitions, 
I see that it is capable of handling encrypted swap and other encrypted 
partitions as well (as long as their keys are all the same), so yes, you can 
already do this (once the new features are installed in your system).

Leslie


      

        
So the basic idea is to set up a server so that it partially boots, but
boots
far enough to set up the network and start the SSH daemon.  Then, log
in remotely to finish the rest of the boot after entering the LUKS
password. Could something like this be added to the Leap install process to
make it easier to set up?

Regards,
Lew


      

    

    Thanks for the pointers,
      Leslie.  But grub needs to get the secret from

      somewhere, either TPM or to prompt for it.  That's the problem
      with

      remotely managed systems without TPM, grub can't get the secret.

      

      If grub could start the network stack and kick off sshd to prompt
      for

      a remotely supplied secret I'd be happy.  But I don't think it can
      do that

      without knowledge of encrypted network configuration.  Maybe it

      could get the secret to boot up the core operating system,
      including

      /tmp and swap, from TPM, then the administrator could login via
      ssh

      and supply the secret to decrypt the rest of the system and start

      the required daemons?  I'd rather not let the system boot up
      completely

      by itself, I think it's a security threat, plus the servers don't
      have TPM

      anyway.

      

      Regards,

      Lew