Erling Westenvik <erling.westen...@gmail.com> writes: > Since none of the servers have tools for remote administration, my only > option for unlocking any crypto volumes will be over ssh(4). AFAIK that > means I cannot encrypt any parts of the OS itself since all partitions > are required to be present for the OS to be able to boot up to a point > where it can offer sshd(8), right?
I have a not-so-simple setup for this. Everything but / is into a crypto softraid. Upon startup I run a self-content sshd with the following patch against a 5.4 /etc/rc: --- etc/rc Tue Jul 30 19:52:22 2013 +++ /etc/rc Tue Mar 25 15:23:48 2014 @@ -284,8 +284,19 @@ exit 1 ;; 8) - echo "Automatic file system check failed; help!" - exit 1 + echo "Automatic file system check failed; help (from outterspace)!" + ifconfig em0 x.x.x.x netmask 255.255.255.0 + route -qn add default x.x.x.x + mount -uw / + /root/sshd -De \ + -o PasswordAuthentication=no \ + -o PermitRootLogin=yes \ + -o ChallengeResponseAuthentication=no \ + -o UsePrivilegeSeparation=no \ + -o UseDNS=no + mount -ur / + route -qn flush + ifconfig em0 down delete ;; 12) echo "Boot interrupted." I can then connect as root (with the correct authorized_keys) and bioctl the crypto softraid and finally kill this sshd. Drawbacks: - compile a self-content sshd (see crunchgen(8) for this) (if possible do this with after the time_t patch) - be careful with /etc/rc merge -- Manuel Giraud