Hello List, I'm administering several linux hosts, which are all set up to boot from a luks-encrypted partition (which partly live in LVM). I was hacked off to have to go down to the basement and enter the passwords manually on each and every reboot. So why not let this be managed by a central "boot server"? So I've set up the following process:
- included sshd/dhclient3 in initrd by a hook - on boot time, either a static ip is assigned by a boot parameter or a dynamic one obtained by dhclient3 - sshd is started just before scripts/local-top/cryptoroot is run - while cryptsetup waits for a password to be entered, a ssh-connection can be made (thus being able to execute cryptsetup, vgchange etc remotely and automated...) - when the partition is unlocked, the cryptsetup process from cryptoroot is just killed, booting continues (especially this part is nasty (yet) as it may interfere with other hooks unexpectedly...) - dhclient3/sshd are killed - rest as usual. The remote_unlock_via_ssh.sh script is what i use for remote unlocking. The config files are stored gpg-encrypted, so i can safely boot root-encrypted machines from any trusted terminal remotely. Please let me know what you think. If you like it, I'd gladly document it further. Cheers, Daniel PS: I hope binary attachments to this list are ok, please let me know your conventions if not.
initramfs-remoteunlock.tar.bz2
Description: Binary data
