On 2014/03/05 17:48, Giancarlo Razzolini wrote: > Em 05-03-2014 17:30, Ted Unangst escreveu: > > On Wed, Mar 05, 2014 at 16:15, Giancarlo Razzolini wrote: > >> Hi, > >> > >> I have one linux server that has full disk encryption, and I use > >> it's initramfs with dropbear to be able to remote unlock the encrypted > >> root partition. > >> > >> From what I read from the OpenBSD documentation, this is not > >> possible now. I want some guidance for what areas of code I would need > >> to modify, to accomplish the same. I know it would involve lots of > >> hacking with boot(8), with the kernel itself, and perhaps more. Also, I > >> want to know how hard you guys think it would be. > > I'm aware of some issues in this area. > > > > You probably need to modify boot to default to serial console. The > > normal approach, taken by the installer, is to use boot.conf, but of > > course that's not readable before the disk is decrypted. This is > > assuming you will use serial console to provide the password instead > > of regular keyboard. > > > > If you want to provide the password over the network, I think that's > > going to be way more work. pxeboot may be a place to start, but I > > don't think you'll like where that leads and it won't be very secure > > either. > > > > Or get a server that supports some sort of kvm/console over IP. > Ted, > > Thank you for your reply. I am tending for the generic solution for > unlocking it via network. Not using console nor any hardware assist. On > linux, using initramfs + busybox + dropbear + some other hacks, it works > quite well and secure, since you unlock it through ssh. > I took a look at pxeboot, but I don't think it will work. I know it > is a chicken-egg problem, but I want to take a shot at it. Just would > like some guidance, where to start. I know that maybe it would need some > approach in the lines of initramfs, but I would avoid it as much as I > can, if possible. I think a unencrypted partition/disklabel with > boot.conf and the kernel, plus some hack with boot itself to initialize > the network device, and configure it's ip address would be more > interesting. Or even just boot.conf on the partition. This would require > that boot(8) would do most of the work, even a small sshd > implementation. Any ideas? > > Cheers, > > -- > Giancarlo Razzolini > GPG: 4096R/77B981BC >
What are you trying to protect against? If somebody has physical access, they can presumably replace the kernel/initramfs with a trojanned version ...
