You are not logged in.
- Topics: Active | Unanswered
#1 2022-09-25 20:09:07
- æyno
- Member
- Registered: 2022-09-25
- Posts: 7
[SOLVED] Encrypted /boot and SSH disk decryption
Hi.
I would like to know if it is possible to have /boot on a LUKS encrypted partition and still be able to decrypt my root partition through SSH ? Right now I have 3 partitions for /boot, /boot/efi and /, only the partition for / is encrypted using LUKS and I am able to decrypt it using dropbear SSH before booting. I know it is possible to make an install with only two partitions, namely /efi (not encrypted) and / (LUKS encrypted), the idea being to have the least possible unencrypted material, but is it still possible to enable SSH decryption with this setup ?
Thanks for your time and answers.
Last edited by æyno (2022-09-29 10:24:39)
Offline
#2 2022-09-25 20:49:25
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,416
Re: [SOLVED] Encrypted /boot and SSH disk decryption
...to start SSH, you need to boot a kernel and initramfs. To boot the kernel and initramfs, you have to decrypt it...
That's a bit of a problem.
Grub has a new feature recently, I've never tested it myself but it can use keyfiles, and read them from a block device, too. So, if that works for early cryptodisk support and if you provide a keyfile accordingly, Grub could possibly decrypt /boot for you. And your kernel + initramfs can then decrypt / with a different key later.
However if you do this, Grub can decrypt /boot, but so can everyone else, as the keyfile is out there in the open. So at best, this would be an exercise in obfuscation.
Personally, I stick to unencrypted /boot. It's just not worth the hassle otherwise.
If your hoster supports VNC you could encrypt /boot, have Grub ask for a passphrase interactively. Then you VNC in and you provide the passphrase. Basically in this case the hoster takes care of the SSH part for you (with all security implication that entails, i.e. the hoster can keylogger you. but if its a virtual server, they can always ram dump your encryption keys anyhow. so...).
Last edited by frostschutz (2022-09-25 20:52:20)
Online
#3 2022-09-26 09:48:53
- sabroad
- Member
- Registered: 2015-05-24
- Posts: 242
Re: [SOLVED] Encrypted /boot and SSH disk decryption
Encryption is for Confidentiality and Integrity.
If you only care about Integrity of the /boot kernel then simply use Secure Boot.
If you /really/ care about Confidentiality of the /boot kernel then you might be able to hack something together with a KVM LUKS + SEV host but you'd need turtles all the way down to be able to trust the SSH binary.
--
saint_abroad
Offline
#4 2022-09-26 12:46:28
- æyno
- Member
- Registered: 2022-09-25
- Posts: 7
Re: [SOLVED] Encrypted /boot and SSH disk decryption
Encryption is for Confidentiality and Integrity.
If you only care about Integrity of the /boot kernel then simply use Secure Boot.
I'm already using Secure Boot to check integrity. I was thinking of making a unified kernel, to have initramfs, ucode, kernel and cmdline in one binary file, which will be harder to tamper with and easier to sign.
Offline
#5 2022-09-29 10:23:33
- æyno
- Member
- Registered: 2022-09-25
- Posts: 7
Re: [SOLVED] Encrypted /boot and SSH disk decryption
I'm already using Secure Boot to check integrity. I was thinking of making a unified kernel, to have initramfs, ucode, kernel and cmdline in one binary file, which will be harder to tamper with and easier to sign.
Just did that: I configured mkinitcpio to create .a efi unified kernel image, signed it for secure boot, removed my bootloader, moved /boot to an encrypted partition and now I boot directly on my unified kernel image and only the partition containing /efi is not encrypted.
Offline
#6 2022-09-29 11:29:45
- sabroad
- Member
- Registered: 2015-05-24
- Posts: 242
Re: [SOLVED] Encrypted /boot and SSH disk decryption
Check out sbupdate for automated unified/signing during update.
Last edited by sabroad (2022-09-29 11:30:03)
--
saint_abroad
Offline