You are not logged in.

#1 2019-07-16 10:20:23

TheCoon
Member
Registered: 2016-05-10
Posts: 42

Remote unlock LUKS-encrypted system

Hi,

I've read through this wiki article and considered the different options, but I am looking to implement something a bit different, which shares similar basics.

I have a fully encrypted system (/root) with a setup similar to the one found in this installation guide.

From what I understand, the wiki article I linked above explains how to achieve SSH access in initrd, so that a password may be entered after SSHing into the encrypted system initrd.

What I would like to achieve is having the encrypted system initrd initiate an SSH connection to a remote server, fetch a keyfile, and pass it along to cryptsetup for decrypting the system. I had rsync in mind for the fetching process.

Would this be possible in theory? What changes would need to be made to the existing solutions which show how to setup an SSH server (not a client)?

Thanks for any guidance.

Last edited by TheCoon (2019-07-16 10:52:38)

Offline

#2 2019-07-16 10:37:30

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: Remote unlock LUKS-encrypted system

The third party installation guide you linked to does not uses an encrypted /boot .
What would decrypt the initrd?

Offline

#3 2019-07-16 10:54:57

TheCoon
Member
Registered: 2016-05-10
Posts: 42

Re: Remote unlock LUKS-encrypted system

loqs wrote:

The third party installation guide you linked to does not uses an encrypted /boot .
What would decrypt the initrd?

You're right, I misunderstood the guide.
My question still stands, minus the boot. big_smile

Offline

#4 2019-07-16 11:45:59

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Remote unlock LUKS-encrypted system

I don't think it is really secure to let the device fetch its own decryption key. That means anyone in possession of the device can decrypt it as well. You have to somehow limit the decryption, maybe limiting it to connections from a local network.

A professional option is NBDE


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#5 2019-07-16 11:53:14

TheCoon
Member
Registered: 2016-05-10
Posts: 42

Re: Remote unlock LUKS-encrypted system

progandy wrote:

I don't think it is really secure to let the device fetch its own decryption key. That means anyone in possession of the device can decrypt it as well. You have to somehow limit the decryption, maybe limiting it to connections from a local network.

A professional option is NBDE

I'd like this to serve a headless system, which should always be active, and I would like it to survive reboots without me needing to input a passphrase/keyfile.
On the other hand, I would like to be able to call a "kill switch" which would render the system "unbootable".
What I had in mind is for the encrypted system to SSH/rsync to remote server (VPS), fetch the key, and decrypt the system. If the server is stolen, or if I am expecting a raid (don't worry, I promise everything is legal), the keyfile is deleted from the server on which it is hosted, the server is issued a remote poweroff/reboot, and the system should now fail to boot, since the keyfile can't be fetched.  Feel free to point out any flaws in this idea, I'm open to anything that can help me achieve, at the very least, a similar setup.

The solution closest to what I'm after appears to be Mandos, but I'm looking for a much simpler approach.

NBDE sounds interesting, but still not exactly the setup I'm hoping for.

Last edited by TheCoon (2019-07-16 11:58:51)

Offline

#6 2019-07-16 12:05:02

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Remote unlock LUKS-encrypted system

dropbear includes an SSH client. You'll have to create a hook/service that uses it (in combination with cat, sftp, scp or rsync) to connect and fetch the key. You can use the methods in the wiki to set up your network connection, just replace the ssh server hook/service with your own client script.

https://jlk.fjfi.cvut.cz/arch/manpages/ … lient.1.en

Last edited by progandy (2019-07-16 12:08:11)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#7 2019-07-16 12:29:07

TheCoon
Member
Registered: 2016-05-10
Posts: 42

Re: Remote unlock LUKS-encrypted system

progandy wrote:

dropbear includes an SSH client. You'll have to create a hook/service that uses it (in combination with cat, sftp, scp or rsync) to connect and fetch the key.

https://jlk.fjfi.cvut.cz/arch/manpages/ … lient.1.en

So, for example, I would need to alter mkinitcpio-dropbear so that instead of  running the dropbear server, it would issue a client command?

First I think I would need to add the VPS private key for SSHing under /etc/dropbear/root_key.
Then in this file, replace the line:

/usr/sbin/dropbear -E -s -j -k

With something like:

/usr/sbin/dbclient user@vps "cat secret_keyfile" > copied_keyfile

Then, as I understand it, the actual shell performing the decryption is encryptssh, which appears to also accept a keyfile (/crypto_keyfile.bin). Just not sure where I would need to save that keyfile for it to be used in this setup (this is where I would need to save copied_keyfile).

Am I on the right track or completely off?

Offline

#8 2019-07-16 13:52:14

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: Remote unlock LUKS-encrypted system

The keyfile that the regular 'encrypt' hook looks for is /crypto_keyfile.bin ( / is the location, the initramfs root dir ). If you create it before the encrypt hook runs, it will be used.

I have not used dropbear before, so I can't help with that part. I did something similar with netcat (nc). Unencrypted transfer with a local / shared secret mixed in. But yeah, you shouldn't roll your own crypto but in my case it was just local network anyway (a NAS wake on lan thing). Today maybe you could do it with curl/https.

SSH has its own pitfalls, if you have a passwordless SSH key in your initramfs that executes arbitrary commands on some server... you can restrict the key to a specific command in authorized_keys, make use of that. The SSH key gets the keyfile and nothing else.

Last edited by frostschutz (2019-07-16 13:52:36)

Offline

#9 2019-07-16 13:56:07

TheCoon
Member
Registered: 2016-05-10
Posts: 42

Re: Remote unlock LUKS-encrypted system

frostschutz wrote:

The keyfile that the regular 'encrypt' hook looks for is /crypto_keyfile.bin ( / is the location, the initramfs root dir ). If you create it before the encrypt hook runs, it will be used.

So /crypto_keyfile.bin just needs to exist in my live system?

frostschutz wrote:

SSH has its own pitfalls, if you have a passwordless SSH key in your initramfs that executes arbitrary commands on some server... you can restrict the key to a specific command in authorized_keys, make use of that. The SSH key gets the keyfile and nothing else.

Thanks for the tip, that is definitely the direction I'm going for.

Offline

#10 2019-07-16 14:08:57

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: Remote unlock LUKS-encrypted system

TheCoon wrote:

So /crypto_keyfile.bin just needs to exist in my live system?

If you want the encrypt hook to handle opening the crypt device, yes.

You can open the crypt device yourself, and ditch the encrypt hook. Just make sure your hook includes the cryptsetup binary, then it would be like:

ssh user@vps | cryptsetup open /dev/thing cryptthing

something like that.

Please note, cryptsetup stops reading at newline when reading from a pipe. (See NOTES ON PASSPHRASE PROCESSING in the manpage). So random data might be misinterpreted when used this way.

An example for generating a keyfile that does not have this issue is:

$ printf "%s" $(pwgen 64) > safekey.txt

No newline, just ascii characters, interpreted the same regardless of keyfile, pipe, or even typed in by hand in an emergency.

Or you can use `--key-file -` but I prefer to remove any chance of misinterpration from the keyfile itself.

Last edited by frostschutz (2019-07-16 14:10:50)

Offline

Board footer

Powered by FluxBB