Re: Disk auto-unlocking with TPM 2.0
Am 31.07.2023 um 15:35 schrieb factory-request@lists.opensuse.org:
Re: Disk auto-unlocking with TPM 2.0
I set up a few remotely managed servers by moving all of the important data to LUKS encrypted filesystems. These filesystems aren't in /etc/fstab so they don't get mounted after a reboot. Once rebooted I remotely SSH in and run a script that mounts the encrypted filesystem that prompts for the password. It then starts the appropriate daemons (Postgresql, etc) and everything is fine. I know there's a possibility of data leakage via /tmp and swap, but I think the risk is minimal and the servers are in a protected space anyway. I wonder if swap and /tmp could be encrypted this way too, it might be fun to fiddle with it someday?
So the basic idea is to set up a server so that it partially boots, but boots far enough to set up the network and start the SSH daemon. Then, log in remotely to finish the rest of the boot after entering the LUKS password. Could something like this be added to the Leap install process to make it easier to set up?
Regards, Lew
You can go further, a sshd can be started from grub. I have 2 servers running in that mode. My logs how I did set that up are not 100% complete so I can only give hints. Core component is the package dracut-sshd For documentation see: https://github.com/gsauthof/dracut-sshd It shows you several options how to setup your remote server. In general either use early networkd or setup your network in the initrd command line. Further documentation about network configuration within initrd can be found at the "other Linux" site: https://www.redhat.com/sysadmin/network-confi-initrd Would be then similar to: in `/etc/default/grub` modify `GRUB_CMDLINE_LINUX` to include network configs: E.g. GRUB_CMDLINE_LINUX="rd.neednet=1 ip=..." Furtheron you have to create ssh client keyfiles and integrate the public key file into the servers list of known client keys. Details see above mentioned docs That way all partitions besides boot and boot/efi can be encrypted at boot and you get this nice boot prompt when you ssh into that server at boot: Welcome to the early boot SSH environment. You may type systemd-tty-ask-password-agent (or press "arrow up") to unlock your disks. This shell will terminate automatically a few seconds after the unlocking process has succeeded and when the boot proceeds. If you do so you will be prompted for the password of one encrypted disk, more if they have different ones. Grub will decrypt now the disks the same way if you would have entered the passwords sitting at the console.
On 7/31/23 12:34, Georg Schukat wrote:
So the basic idea is to set up a server so that it partially boots, but boots far enough to set up the network and start the SSH daemon. Then, log in remotely to finish the rest of the boot after entering the LUKS password. Could something like this be added to the Leap install process to make it easier to set up?
You can go further, a sshd can be started from grub. I have 2 servers running in that mode.
My logs how I did set that up are not 100% complete so I can only give hints.
Core component is the package dracut-sshd
For documentation see: https://github.com/gsauthof/dracut-sshd It shows you several options how to setup your remote server. In general either use early networkd or setup your network in the initrd command line.
Further documentation about network configuration within initrd can be found at the "other Linux" site: https://www.redhat.com/sysadmin/network-confi-initrd Would be then similar to: in `/etc/default/grub` modify `GRUB_CMDLINE_LINUX` to include network configs: E.g. GRUB_CMDLINE_LINUX="rd.neednet=1 ip=..."
Furtheron you have to create ssh client keyfiles and integrate the public key file into the servers list of known client keys. Details see above mentioned docs
That way all partitions besides boot and boot/efi can be encrypted at boot and you get this nice boot prompt when you ssh into that server at boot:
Welcome to the early boot SSH environment. You may type
systemd-tty-ask-password-agent
(or press "arrow up") to unlock your disks.
This shell will terminate automatically a few seconds after the unlocking process has succeeded and when the boot proceeds.
If you do so you will be prompted for the password of one encrypted disk, more if they have different ones. Grub will decrypt now the disks the same way if you would have entered the passwords sitting at the console.
Thanks Georg. that's marvelous! We'll give it a try. Regards, Lew
While we're talking about things that grub and YaST can do to make installation easier, it would be very nice if the YaST installer had a submodule for isolating PCI resources from the kernel (e.g. graphics cards), for dedicated use by virtual machines. Doing this by hand is a very complicated and error-prone task. Leslie On 2023-07-31 20:22:17 Lew Wolfgang wrote:
On 7/31/23 12:34, Georg Schukat wrote:
So the basic idea is to set up a server so that it partially boots, but boots far enough to set up the network and start the SSH daemon. Then, log in remotely to finish the rest of the boot after entering the LUKS password. Could something like this be added to the Leap install process to make it easier to set up?
You can go further, a sshd can be started from grub. I have 2 servers running in that mode.
My logs how I did set that up are not 100% complete so I can only give hints.
Core component is the package dracut-sshd
For documentation see: https://github.com/gsauthof/dracut-sshd It shows you several options how to setup your remote server. In general either use early networkd or setup your network in the initrd command line.
Further documentation about network configuration within initrd can be found at the "other Linux" site: https://www.redhat.com/sysadmin/network-confi-initrd Would be then similar to: in `/etc/default/grub` modify `GRUB_CMDLINE_LINUX` to include network configs: E.g. GRUB_CMDLINE_LINUX="rd.neednet=1 ip=..."
Furtheron you have to create ssh client keyfiles and integrate the public key file into the servers list of known client keys. Details see above mentioned docs
That way all partitions besides boot and boot/efi can be encrypted at boot and you get this nice boot prompt when you ssh into that server at boot:
Welcome to the early boot SSH environment. You may type
systemd-tty-ask-password-agent
(or press "arrow up") to unlock your disks.
This shell will terminate automatically a few seconds after the unlocking process has succeeded and when the boot proceeds.
If you do so you will be prompted for the password of one encrypted disk, more if they have different ones. Grub will decrypt now the disks the same way if you would have entered the passwords sitting at the console.
Thanks Georg. that's marvelous! We'll give it a try.
Regards, Lew
participants (3)
-
Georg Schukat -
J Leslie Turriff -
Lew Wolfgang