1. Introduction §
I have remote systems that only have /home as encrypted partitions, the reason is it ease a lot of remote management without a serial access, it's not ideal if you have critical files but in my use case, it's good enough.
In this blog post, I'll explain how to get the remote system to prompt you the unlocking passphrase automatically when it boots. I'm using OpenBSD in my example, but you can achieve the same with Linux and cryptsetup (LUKS), if you want to push the idea on Linux, you could do this from the initramfs to unlock your root partition.
2. Requirement §
- a non-root encrypted partition
- a workstation with ssh that is reachable by the remote server (VPN, NAT etc…)
3. Setup §
- install the package
zenity on your workstation
- on the remote system generate ssh-keys without a passphrase on your root account using
- copy the content of
/root/.ssh/id_rsa.pub for the next step (or the public key file if you chose a different key algorithm)
~/.ssh/authorized_keys on your workstation
- create a new line with:
restrict,command="/usr/local/bin/zenity --forms --text='Unlock t400 /home' --add-password='passphrase' --display=:0" $THE_PUBLIC_KEY_HERE
The new line allows the ssh key to connect to our local user, but it gets restricted to a single command: zenity, which is a GUI dialog program used to generate forms/dialogs in X sessions.
In the example, this creates a simple form in an X window with a label "Unlock t400 /home" and add a field password hiding typed text, and showing it on display :0 (the default one). Upon connection from the remote server, the form is displayed, you can type in and validate, then the content is passed to stdout on the remote server, to the command bioctl which unlocks the disk.
On the server, creates the file
/etc/rc.local with the following content (please adapt to your system):
ssh email@example.com | bioctl -s -c C -l 1a52f9ec20246135.k softraid0
if [ $? -eq 0 ]
In this script,
firstname.lastname@example.org is my user@laptop-address, and
1a52f9ec20246135.k is my encrypted partition. The file
/etc/rc.local is run at boot after most of the services, including networking.
You should get a display like this when the system boots:
4. Conclusion §
With this simple setup, I can reboot my remote systems and wait for the passphrase to be asked quite reliably. Because of ssh, I can authenticate which system is asking for a passphrase, and it's sent encrypted over the network.
It's possible to get more in depth in this idea by using a local password database to automatically pick the passphrase, but you lose some kind of manual control, if someone steals a machine you may not want to unlock it after all ;) It would also be possible to prompt a Yes/No dialog before piping the passphrase from your computer, do what feels correct for you.