You are not logged in.

#1 2023-01-07 17:17:11

szszoke
Member
Registered: 2022-11-12
Posts: 7

Remote unlock system with entrypted boot "partition"

Hello!

I have a machine running an up-to-date Arch installation. My entire system including the boot "partition" is encrypted via dm-Crypt and LUKS1. I put partition in quotes because it's not an actual partition, it's just a folder (/boot) on my root partition. I have a passphase and a keyfile. I am using GRUB as my bootloader which is installed in /boot. When I turn on my computer, I need to enter the passphrase, then I get to GRUB. When I select the menu item for my Arch installation, it loads the keyfile and then I do not have to enter a passphrase again.

I also have an EFI partition mounted to /efi which is not encrypted.

This works and has been working well for the past few months. The only problem is that I physically need to be there to type in my passphrase in order to boot the machine up and I want to be able to turn it on remotely via WoL and SSH into it.

I tried to follow the dm-crypt/Specialties guide on remote unlocking with tinyssh but it of course didn't quite work. With my encrypted bootloader, I have to enter my passphrase before my kernel and tinyssh would be loaded.

One more thing that is relevant here is that I am using BTRFS with snapshots. I also have grub-btrfs set up with overlayfs so that I can boot into specific snapshots as if it would be a live image. With /boot being just a folder in my root subvolume, my snapshots contain the kernel that was running at the time of snapshot creation.

I suppose that if I create an actual partition for /boot and leave it unencrypted then the guide would work for me, but then I think I would also lose my kernel snapshots and might have trouble booting into my snapshots at a later time.

The ideal outcome would be keeping my /boot folder within my root BTRFS subvolume and somehow still be able to input my encryption passphrase remotely if needed. I suppose I would need some sort of remote control support built into GRUB itself at this point but I don't know if such thing exists.

Offline

#2 2023-01-08 00:05:54

pitastrudl
Member
Registered: 2022-05-10
Posts: 8

Re: Remote unlock system with entrypted boot "partition"

Hey,

I had the same problem. Had a Full disk encrypted setup and wanted to enable SSH unlocking of my encrypted machine. Sadly that is not possible as initramfs has to be loaded for an ssh connection to be able to establish and unlock your partition, so your boot partition would have to be unencrypted at rest. A more expensive solution would be to get something like PiKVM which allows you to operate your PC from afar as if you were there physically.

Offline

#3 2023-01-17 12:14:43

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,447

Re: Remote unlock system with entrypted boot "partition"

(That PiKVM looks neat, I've never seen that before.)
I suggest you check first whether the ethernet card has stable WoL. There are a lot of problems (spurious wakeups, etc) depending on mainboard/bios, card, etc etc.
Second, depending on your usage profile for remote access (e.g. only when you travel for long), you could workaround with a second minimal install (with open /boot) and let this system hibernate. This way you could wake it up and unlock your main system remotely. As yet another workaround, you could get a remote-controlled power switch (home automation) and keep the /boot of the main system unencrypted to start ssh from the initramfs. The power plug gives you a "second" factor.

Offline

#4 2023-01-17 12:42:17

szszoke
Member
Registered: 2022-11-12
Posts: 7

Re: Remote unlock system with entrypted boot "partition"

I have stable WoL and I also have a second server running all the time. I work in a hybrid setup and I use two computers, one laptop when in the office and a desktop when at home. Sometimes I forgot stuff on my home machine and only realize when I'm in the office. I can leave my machine sleeping when I leave from home and then I can just SSH in after a WoL packet. Power outages are rare where I live so it would work, but I wanted to have a fallback that would work even after a power outage.

Offline

#5 2023-11-07 21:55:20

chron
Member
Registered: 2010-10-18
Posts: 5

Re: Remote unlock system with entrypted boot "partition"

Sorry for replying to an old thread, but i wanted to share my current solution.

I was thinking about a PiKVM myself, before I came up with my current setup, it also recuires a Raspberry Pi or something similiar, but besides a couple of 10$ USB/RS232 adapters nothing else.

GRUB first stage (core.img) has serial (even USB serial) support, you can simply connect whatever you need to start remotely to a Raspberry Pi with a cheap USB/RS232 adapter. If you use PoE for the RPi, you even have an easy way to force it to power cycle if necessary.
Setup decribed here, but i would recommend using grub-mkimage or grub-mkstandalone instead of grub-install. If you need a working first stage grub config, I'm happy to help.

I suppose I would need some sort of remote control support built into GRUB itself at this point but I don't know if such thing exists.

I've been hoping for a couple of years, that someone would cram tinyssh into a GRUB module, but sadly, it hasn't happened yet. It should be possible, EFI images are only limited by RAM size but no clue about the GRUB side.

Last edited by chron (2023-11-07 21:56:06)

Offline

Board footer

Powered by FluxBB