Re: Geli password over network strategies

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Geli password over network strategies

Karl Denninger

On 11/25/2019 08:45, Paul Florence via freebsd-questions wrote:

> Hello everyone,
>
> I am currently running a home-made server with 12.0-RELEASE-p10 using
> full disk geli encryption. When I boot the server, I first have to
> type a password to decrypt the whole system.
>
> However, my ISP is having some power issues and in the last few weeks
> I had to go there quite a few times to type a passphrase.
>
> I would like now to be able to enter my passphrase over the network.
>
> Would the following boot process be possible ?
>
> 1. First boot from an unencrypted kernel from a USB stick.
>
> 2. Then start an SSH server.
>
> 3. Input my passphrase over an ssh terminal.
>
> 4. Use the provided passphrase as the geli secret to boot the OS from
> the disk
>
> If no, has anyone had to deal with this kind of problem ? If so, what
> kind of strategy did you decide to use ?
>
Yep.  My infrastructure is UPS backed but UPS batteries run out and then
things shut down.  When power comes back, well, I'd like to be able to
enter that password with REASONABLE security.

Here's my strategy for dealing with it.

Front-end the server with something that is a dedicated firewall and
WILL reboot on power fail and come back to multi-user, normal mode (I
use a pcEngines box that boots off SD and runs with root mounted
read-only; there is thus essentially zero risk of said box not coming
all the way back up unattended.)  It runs StrongSwan.

Now from "wherever" I can either ssh or VPN into that after a power
failure.  The main box is, at this point, sitting at a console prompt
asking for a GELI password as the loader requires it to unlock the root
ZFS pool.

I now have choices; I could have the big box set up to go to a serial
console and have the serial port plugged in but instead my usual choice
is to instead use the existing "big box's" IPKVM feature which I can
access via two means -- either over the VPN (since my laptop now appears
to be on the local LAN which has the IPKVM port on it) or I can sign
into the gateway and use "ssh" to set up a temporary tunnel to the
https: port on the IPKVM interface thereby allowing me to directly do a
"<a href="https://gateway-ip-address:whateverport">https://gateway-ip-address:whateverport" and sign into the IPKVM that
way, then use its functionality to get direct console access.  Either
way the session is encrypted so the password cannot be picked off.

--
Karl Denninger
[hidden email] <mailto:[hidden email]>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Geli password over network strategies

Evilham
On dl., nov. 25 2019, Paul Florence via freebsd-questions wrote:

> Hello everyone,
>
> I am currently running a home-made server with 12.0-RELEASE-p10
> using
> full disk geli encryption. When I boot the server, I first have
> to type
> a password to decrypt the whole system.
>
> However, my ISP is having some power issues and in the last few
> weeks I
> had to go there quite a few times to type a passphrase.
>
> I would like now to be able to enter my passphrase over the
> network.
>
> Would the following boot process be possible ?
>
> 1. First boot from an unencrypted kernel from a USB stick.
>
> 2. Then start an SSH server.
>
> 3. Input my passphrase over an ssh terminal.
>
> 4. Use the provided passphrase as the geli secret to boot the OS
> from
> the disk
>
> If no, has anyone had to deal with this kind of problem ? If so,
> what
> kind of strategy did you decide to use ?
>
> Thanks,


Hi Paul,

I'm don't think what you mention works as it is, but is close
enough to what I've done and does work:

I hope you are aware of the security downsides of doing this, I
think it does look like the kind of trade-off you need.

- There is an unencrypted FreeBSD (caveat: kernel must match that
  of the encrypted system, care when upgrading)
- System boots into that unencrypted FreeBSD
- I access that unencrypted system over SSH
- Encrypted system is unlocked
- reboot -r is used to boot into that system (man reboot explains
  that quite well)

I use ZFS and a simple unlock script that is at the end of this
message (the unencrypted pool is called "init" as opposed to
"zroot"), but you should be able to do sth similar with e.g. UFS
(man reboot has a very basic example).

Also: I do think this use-case could be made easier but haven't
tried to hack into the installer (yet). Apparently I am not alone,
see the feedback bits towards the end of the episode:
https://www.bsdnow.tv/319

Hope this helps, cheers.
--
Evilham


#!/bin/sh

# Setup variables
partition="ada0p4"
zfs_pool="zroot"

# Unlock encrypted system
geli attach ${partition} || exit

# Import pool without mounting only if needed.
# If pool is already imported, this does nothing.
zpool status ${zfs_pool} > /dev/null 2>&1 || zpool import -Nf -R
/mnt ${zfs_pool}

# Get bootfs
bootfs=$(zpool get -H -o value bootfs ${zfs_pool})

# See FreeBSD bug 210721
zpool export ${zfs_pool}

# Setup root file system
echo
kenv "vfs.root.mountfrom=zfs:${bootfs}"
echo

# Reboot into decrypted system
reboot -r
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Geli password over network strategies

Polytropon
In reply to this post by Karl Denninger
On Mon, 25 Nov 2019 15:45:17 +0100, Paul Florence via freebsd-questions wrote:

> Hello everyone,
>
> I am currently running a home-made server with 12.0-RELEASE-p10 using
> full disk geli encryption. When I boot the server, I first have to type
> a password to decrypt the whole system.
>
> However, my ISP is having some power issues and in the last few weeks I
> had to go there quite a few times to type a passphrase.
>
> I would like now to be able to enter my passphrase over the network.
>
> Would the following boot process be possible ?
>
> 1. First boot from an unencrypted kernel from a USB stick.
>
> 2. Then start an SSH server.
>
> 3. Input my passphrase over an ssh terminal.
>
> 4. Use the provided passphrase as the geli secret to boot the OS from
> the disk

That would be the problem: You cannot boot one OS from another OS
(heavily simplified and technically not fully correct, but still
the problem remains). The core problem is that in early boot
stages of the OS, no network and therefore no SSH is available.
And if you _re_boot the server (to get the actual OS from the
decrypted storage), the decryption will be gone as soon as
you reboot...



> If no, has anyone had to deal with this kind of problem ? If so, what
> kind of strategy did you decide to use ?

My suggestion would be to enable serial console, and have that
serial console redirect to a SSH port that you can connect to.
This way, the OS boots to the point where you have to enter
the passphrase - now via SSH -, and boot continues, while you
can always re-connect to the serial line.

There are "communication servers" and solutions commonly found
in datacenters that allow you to connect to a system they
provide (with SSH) that allows you to interact with the serial
line of your own server. See "serial over SSH".


--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"