Re: disk encryption for remote server
I keep a /crypt noauto partition that I mount manually by passphrase via ssh after the server is booted. And don't keep 'sensitive' info in other partitions... On Mon, May 27, 2024 at 11:57 AM <04-psyche.tot...@icloud.com> wrote: > Thanks all for your thoughts. > > Regarding the remote serial console access, unfortunately, it is not > possible in my case. > I do not have IPMI or something similar :( > > On Mon, 27 May 2024 at 08:17, Manuel Giraud < > manuel_at_ledu-giraud_fr_rmp93abv53d47h_m6783...@icloud.com> wrote: > >> Stefan Kreutz writes: >> >> > Can you access the machine's serial console, maybe redirected over IP? >> >> I concur that a remote serial console access (maybe via a web interface >> serviced by your provider) is your best option here. >> >> I used to do (almost) FDE without console access but here is list of >> drawbacks/requirements: >> >> - It is not really FDE because / was not encrypted >> >> - It required patching /etc/rc with the patch at the end of this >> message >> >> - The "/root/sshd" from this patch is a self-contained sshd >> without the need of any external library. It is *not* a copy >> of /usr/sbin/sshd and you have to compile it yourself (and I >> don't remenber how) >> >> >> Best regards, >> -- >> Manuel Giraud >> >
Re: disk encryption for remote server
Thanks all for your thoughts. Regarding the remote serial console access, unfortunately, it is not possible in my case. I do not have IPMI or something similar :( On Mon, 27 May 2024 at 08:17, Manuel Giraud < manuel_at_ledu-giraud_fr_rmp93abv53d47h_m6783...@icloud.com> wrote: > Stefan Kreutz writes: > > > Can you access the machine's serial console, maybe redirected over IP? > > I concur that a remote serial console access (maybe via a web interface > serviced by your provider) is your best option here. > > I used to do (almost) FDE without console access but here is list of > drawbacks/requirements: > > - It is not really FDE because / was not encrypted > > - It required patching /etc/rc with the patch at the end of this > message > > - The "/root/sshd" from this patch is a self-contained sshd > without the need of any external library. It is *not* a copy > of /usr/sbin/sshd and you have to compile it yourself (and I > don't remenber how) > > > Best regards, > -- > Manuel Giraud >
Re: disk encryption for remote server
Stefan Kreutz writes: > Can you access the machine's serial console, maybe redirected over IP? I concur that a remote serial console access (maybe via a web interface serviced by your provider) is your best option here. I used to do (almost) FDE without console access but here is list of drawbacks/requirements: - It is not really FDE because / was not encrypted - It required patching /etc/rc with the patch at the end of this message - The "/root/sshd" from this patch is a self-contained sshd without the need of any external library. It is *not* a copy of /usr/sbin/sshd and you have to compile it yourself (and I don't remenber how) --- rc.orig Wed Jul 27 15:23:24 2011 +++ /etc/rc Thu Jul 28 15:28:28 2011 @@ -294,8 +294,18 @@ exit 1 ;; 8) - echo "Automatic file system check failed; help!" - exit 1 + echo "Automatic file system check failed; help (from outterspace)!" + ifconfig em0 a.b.c.d netmask 255.255.255.0 + route -qn add default a.b.c.1 + mount -uw / + /root/sshd -De \ + -o PasswordAuthentication=no \ + -o ChallengeResponseAuthentication=no \ + -o UsePrivilegeSeparation=no \ + -o UseDNS=no + mount -ur / + route -qn flush + ifconfig em0 down delete ;; 12) echo "Boot interrupted." Best regards, -- Manuel Giraud
Re: disk encryption for remote server
On Sun, May 26, 2024 at 08:33:59PM +0100, 04-psyche.tot...@icloud.com wrote: Hi everyone, Is there any way to use disk encryption without having physical access to the device? You could use a USB keydisk (make sure you, and your assistant on the remote server, have copious backup(s) of this!) as an encryption device, as per this document: https://www.openbsd.org/faq/faq14.html#softraidFDE Cheers Ampie A few potential ideas: - is there a way to enter the encryption passphrase via ssh? - is there a way to create a non encrypted partition on the same hard drive, where the keydisk would be stored, and automatically used? (For various reasons, an external usb key is not feasible). And yes, I realize this would weaken the security significantly, but I'd still like to know if it's feasible? My guess is that it's not possible, but I wanted to ask to make sure. Cheers, Jake
Re: disk encryption for remote server
On Sun, May 26, 2024 at 08:33:59PM +0100, 04-psyche.tot...@icloud.com wrote: > Is there any way to use disk encryption without having physical access to > the device? Yes, it is possible. But I think you are talking about full disk encryption and want to enter a passphrase at the bootloader prompt. > - is there a way to enter the encryption passphrase via ssh? To enter a passphrase at the boot prompt you need to set up remote access to the console of that device. Depending on the setup you have, this might be easy, difficult or impossible. If that is not an option, one possibility is to do a regular non-encrypted installation and create a softraid crypto volume just for storing specific data. This can then be mounted from a regular ssh session after the kernel has booted. It's also possible to hard-code a passphrase in the bootloader code. We have used this technique for years for local development machines that need to be running the softraid code but are otherwise not storing data that needs to be protected by a passphrase. These two ideas can also be used together.
Re: disk encryption for remote server
Can you access the machine's serial console, maybe redirected over IP? On Sun, May 26, 2024 at 08:33:59PM GMT, 04-psyche.tot...@icloud.com wrote: > Hi everyone, > > Is there any way to use disk encryption without having physical access to the > device? > > A few potential ideas: > - is there a way to enter the encryption passphrase via ssh? > - is there a way to create a non encrypted partition on the same hard drive, > where the keydisk would be stored, and automatically used? (For various > reasons, an external usb key is not feasible). And yes, I realize this would > weaken the security significantly, but I'd still like to know if it's > feasible? > > My guess is that it's not possible, but I wanted to ask to make sure. > > Cheers, > Jake
disk encryption for remote server
Hi everyone, Is there any way to use disk encryption without having physical access to the device? A few potential ideas: - is there a way to enter the encryption passphrase via ssh? - is there a way to create a non encrypted partition on the same hard drive, where the keydisk would be stored, and automatically used? (For various reasons, an external usb key is not feasible). And yes, I realize this would weaken the security significantly, but I'd still like to know if it's feasible? My guess is that it's not possible, but I wanted to ask to make sure. Cheers, Jake