Turning encrypted system on remotely

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
11
down vote

favorite
3












My system is full of very sensitive data, so I need to encrypt as much of it as possible.



I have an encrypted Debian installation which asks for a long password every time during boot.
Is there a simple way to set it up so that I can input that password remotely?



If some other distribution can do it, I don't mind installing something else instead of Debian.







share|improve this question

















  • 2




    What kind of attack vector are you worried about? Is a hardware key store (where the private key can't be extracted by software, but anyone possessing that piece of hardware could decrypt your content) appropriate? (BTW, note that many full-disk encryption systems unlock a master key when you engage them, and then store that key in RAM -- meaning anyone with sufficient privileges can potentially copy that master key out from the unlocked system, even if they don't ever get your password; this is a place where having the actual decryption happen in hardware can be safer).
    – Charles Duffy
    Apr 28 at 17:21










  • @CharlesDuffy Main concern is server(or its disks) being physically stolen, so hardware key is out of the question, since it can be stolen as well. I specifically set 40+ symbol file system passphrase and 20+ symbol root password(who is the only user in the whole system), so I should be safe in most cases, right?
    – user2363676
    May 3 at 12:29






  • 1




    Removed and stolen, or are you worried about an attacker getting physical access while the hardware is still powered up? If someone can hotplug new devices onto the PCI bus they can make a copy of physical memory, so they can steal the encryption key out of a running, unlocked system. (They can't steal the password used to encrypt the key, but if you have the key itself, that's irrelevant).
    – Charles Duffy
    May 3 at 14:57







  • 1




    Another attack vector is for someone to modify the boot sequence to make a copy of the password during the decrypt/unlock process, reboot your machine, and then wait for you to log in and unlock it (thus letting the code they added store a copy of the password out-of-band) before stealing the hardware. Coming up with comprehensive threat models (and mitigating against them) gets tricky sometimes. (I see madscientist159 already pointed that possibility out).
    – Charles Duffy
    May 3 at 14:58















up vote
11
down vote

favorite
3












My system is full of very sensitive data, so I need to encrypt as much of it as possible.



I have an encrypted Debian installation which asks for a long password every time during boot.
Is there a simple way to set it up so that I can input that password remotely?



If some other distribution can do it, I don't mind installing something else instead of Debian.







share|improve this question

















  • 2




    What kind of attack vector are you worried about? Is a hardware key store (where the private key can't be extracted by software, but anyone possessing that piece of hardware could decrypt your content) appropriate? (BTW, note that many full-disk encryption systems unlock a master key when you engage them, and then store that key in RAM -- meaning anyone with sufficient privileges can potentially copy that master key out from the unlocked system, even if they don't ever get your password; this is a place where having the actual decryption happen in hardware can be safer).
    – Charles Duffy
    Apr 28 at 17:21










  • @CharlesDuffy Main concern is server(or its disks) being physically stolen, so hardware key is out of the question, since it can be stolen as well. I specifically set 40+ symbol file system passphrase and 20+ symbol root password(who is the only user in the whole system), so I should be safe in most cases, right?
    – user2363676
    May 3 at 12:29






  • 1




    Removed and stolen, or are you worried about an attacker getting physical access while the hardware is still powered up? If someone can hotplug new devices onto the PCI bus they can make a copy of physical memory, so they can steal the encryption key out of a running, unlocked system. (They can't steal the password used to encrypt the key, but if you have the key itself, that's irrelevant).
    – Charles Duffy
    May 3 at 14:57







  • 1




    Another attack vector is for someone to modify the boot sequence to make a copy of the password during the decrypt/unlock process, reboot your machine, and then wait for you to log in and unlock it (thus letting the code they added store a copy of the password out-of-band) before stealing the hardware. Coming up with comprehensive threat models (and mitigating against them) gets tricky sometimes. (I see madscientist159 already pointed that possibility out).
    – Charles Duffy
    May 3 at 14:58













up vote
11
down vote

favorite
3









up vote
11
down vote

favorite
3






3





My system is full of very sensitive data, so I need to encrypt as much of it as possible.



I have an encrypted Debian installation which asks for a long password every time during boot.
Is there a simple way to set it up so that I can input that password remotely?



If some other distribution can do it, I don't mind installing something else instead of Debian.







share|improve this question













My system is full of very sensitive data, so I need to encrypt as much of it as possible.



I have an encrypted Debian installation which asks for a long password every time during boot.
Is there a simple way to set it up so that I can input that password remotely?



If some other distribution can do it, I don't mind installing something else instead of Debian.









share|improve this question












share|improve this question




share|improve this question








edited Apr 29 at 13:23









Jeff Schaller

31.1k846105




31.1k846105









asked Apr 28 at 15:10









user2363676

584




584







  • 2




    What kind of attack vector are you worried about? Is a hardware key store (where the private key can't be extracted by software, but anyone possessing that piece of hardware could decrypt your content) appropriate? (BTW, note that many full-disk encryption systems unlock a master key when you engage them, and then store that key in RAM -- meaning anyone with sufficient privileges can potentially copy that master key out from the unlocked system, even if they don't ever get your password; this is a place where having the actual decryption happen in hardware can be safer).
    – Charles Duffy
    Apr 28 at 17:21










  • @CharlesDuffy Main concern is server(or its disks) being physically stolen, so hardware key is out of the question, since it can be stolen as well. I specifically set 40+ symbol file system passphrase and 20+ symbol root password(who is the only user in the whole system), so I should be safe in most cases, right?
    – user2363676
    May 3 at 12:29






  • 1




    Removed and stolen, or are you worried about an attacker getting physical access while the hardware is still powered up? If someone can hotplug new devices onto the PCI bus they can make a copy of physical memory, so they can steal the encryption key out of a running, unlocked system. (They can't steal the password used to encrypt the key, but if you have the key itself, that's irrelevant).
    – Charles Duffy
    May 3 at 14:57







  • 1




    Another attack vector is for someone to modify the boot sequence to make a copy of the password during the decrypt/unlock process, reboot your machine, and then wait for you to log in and unlock it (thus letting the code they added store a copy of the password out-of-band) before stealing the hardware. Coming up with comprehensive threat models (and mitigating against them) gets tricky sometimes. (I see madscientist159 already pointed that possibility out).
    – Charles Duffy
    May 3 at 14:58













  • 2




    What kind of attack vector are you worried about? Is a hardware key store (where the private key can't be extracted by software, but anyone possessing that piece of hardware could decrypt your content) appropriate? (BTW, note that many full-disk encryption systems unlock a master key when you engage them, and then store that key in RAM -- meaning anyone with sufficient privileges can potentially copy that master key out from the unlocked system, even if they don't ever get your password; this is a place where having the actual decryption happen in hardware can be safer).
    – Charles Duffy
    Apr 28 at 17:21










  • @CharlesDuffy Main concern is server(or its disks) being physically stolen, so hardware key is out of the question, since it can be stolen as well. I specifically set 40+ symbol file system passphrase and 20+ symbol root password(who is the only user in the whole system), so I should be safe in most cases, right?
    – user2363676
    May 3 at 12:29






  • 1




    Removed and stolen, or are you worried about an attacker getting physical access while the hardware is still powered up? If someone can hotplug new devices onto the PCI bus they can make a copy of physical memory, so they can steal the encryption key out of a running, unlocked system. (They can't steal the password used to encrypt the key, but if you have the key itself, that's irrelevant).
    – Charles Duffy
    May 3 at 14:57







  • 1




    Another attack vector is for someone to modify the boot sequence to make a copy of the password during the decrypt/unlock process, reboot your machine, and then wait for you to log in and unlock it (thus letting the code they added store a copy of the password out-of-band) before stealing the hardware. Coming up with comprehensive threat models (and mitigating against them) gets tricky sometimes. (I see madscientist159 already pointed that possibility out).
    – Charles Duffy
    May 3 at 14:58








2




2




What kind of attack vector are you worried about? Is a hardware key store (where the private key can't be extracted by software, but anyone possessing that piece of hardware could decrypt your content) appropriate? (BTW, note that many full-disk encryption systems unlock a master key when you engage them, and then store that key in RAM -- meaning anyone with sufficient privileges can potentially copy that master key out from the unlocked system, even if they don't ever get your password; this is a place where having the actual decryption happen in hardware can be safer).
– Charles Duffy
Apr 28 at 17:21




What kind of attack vector are you worried about? Is a hardware key store (where the private key can't be extracted by software, but anyone possessing that piece of hardware could decrypt your content) appropriate? (BTW, note that many full-disk encryption systems unlock a master key when you engage them, and then store that key in RAM -- meaning anyone with sufficient privileges can potentially copy that master key out from the unlocked system, even if they don't ever get your password; this is a place where having the actual decryption happen in hardware can be safer).
– Charles Duffy
Apr 28 at 17:21












@CharlesDuffy Main concern is server(or its disks) being physically stolen, so hardware key is out of the question, since it can be stolen as well. I specifically set 40+ symbol file system passphrase and 20+ symbol root password(who is the only user in the whole system), so I should be safe in most cases, right?
– user2363676
May 3 at 12:29




@CharlesDuffy Main concern is server(or its disks) being physically stolen, so hardware key is out of the question, since it can be stolen as well. I specifically set 40+ symbol file system passphrase and 20+ symbol root password(who is the only user in the whole system), so I should be safe in most cases, right?
– user2363676
May 3 at 12:29




1




1




Removed and stolen, or are you worried about an attacker getting physical access while the hardware is still powered up? If someone can hotplug new devices onto the PCI bus they can make a copy of physical memory, so they can steal the encryption key out of a running, unlocked system. (They can't steal the password used to encrypt the key, but if you have the key itself, that's irrelevant).
– Charles Duffy
May 3 at 14:57





Removed and stolen, or are you worried about an attacker getting physical access while the hardware is still powered up? If someone can hotplug new devices onto the PCI bus they can make a copy of physical memory, so they can steal the encryption key out of a running, unlocked system. (They can't steal the password used to encrypt the key, but if you have the key itself, that's irrelevant).
– Charles Duffy
May 3 at 14:57





1




1




Another attack vector is for someone to modify the boot sequence to make a copy of the password during the decrypt/unlock process, reboot your machine, and then wait for you to log in and unlock it (thus letting the code they added store a copy of the password out-of-band) before stealing the hardware. Coming up with comprehensive threat models (and mitigating against them) gets tricky sometimes. (I see madscientist159 already pointed that possibility out).
– Charles Duffy
May 3 at 14:58





Another attack vector is for someone to modify the boot sequence to make a copy of the password during the decrypt/unlock process, reboot your machine, and then wait for you to log in and unlock it (thus letting the code they added store a copy of the password out-of-band) before stealing the hardware. Coming up with comprehensive threat models (and mitigating against them) gets tricky sometimes. (I see madscientist159 already pointed that possibility out).
– Charles Duffy
May 3 at 14:58











2 Answers
2






active

oldest

votes

















up vote
16
down vote



accepted










You can enable this by installing dropbear-initramfs and following the instructions to configure your SSH keys. This will start an SSH server from the initramfs, allowing you to connect remotely and enter your encryption passphrase.






share|improve this answer

















  • 3




    Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
    – madscientist159
    Apr 29 at 4:32


















up vote
0
down vote













If you've installed Debian on a Dell or HP server - Dell has iDrac and HP has ILO, both of these have web based virtual consoles which would allow you interact with the machine while booting.






share|improve this answer





















  • My HP is too old to have ILO unfortunately, thanks for suggestion though.
    – user2363676
    May 3 at 12:33










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440586%2fturning-encrypted-system-on-remotely%23new-answer', 'question_page');

);

Post as a guest






























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
16
down vote



accepted










You can enable this by installing dropbear-initramfs and following the instructions to configure your SSH keys. This will start an SSH server from the initramfs, allowing you to connect remotely and enter your encryption passphrase.






share|improve this answer

















  • 3




    Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
    – madscientist159
    Apr 29 at 4:32















up vote
16
down vote



accepted










You can enable this by installing dropbear-initramfs and following the instructions to configure your SSH keys. This will start an SSH server from the initramfs, allowing you to connect remotely and enter your encryption passphrase.






share|improve this answer

















  • 3




    Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
    – madscientist159
    Apr 29 at 4:32













up vote
16
down vote



accepted







up vote
16
down vote



accepted






You can enable this by installing dropbear-initramfs and following the instructions to configure your SSH keys. This will start an SSH server from the initramfs, allowing you to connect remotely and enter your encryption passphrase.






share|improve this answer













You can enable this by installing dropbear-initramfs and following the instructions to configure your SSH keys. This will start an SSH server from the initramfs, allowing you to connect remotely and enter your encryption passphrase.







share|improve this answer













share|improve this answer



share|improve this answer











answered Apr 28 at 15:29









Stephen Kitt

140k22302363




140k22302363







  • 3




    Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
    – madscientist159
    Apr 29 at 4:32













  • 3




    Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
    – madscientist159
    Apr 29 at 4:32








3




3




Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
– madscientist159
Apr 29 at 4:32





Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
– madscientist159
Apr 29 at 4:32













up vote
0
down vote













If you've installed Debian on a Dell or HP server - Dell has iDrac and HP has ILO, both of these have web based virtual consoles which would allow you interact with the machine while booting.






share|improve this answer





















  • My HP is too old to have ILO unfortunately, thanks for suggestion though.
    – user2363676
    May 3 at 12:33














up vote
0
down vote













If you've installed Debian on a Dell or HP server - Dell has iDrac and HP has ILO, both of these have web based virtual consoles which would allow you interact with the machine while booting.






share|improve this answer





















  • My HP is too old to have ILO unfortunately, thanks for suggestion though.
    – user2363676
    May 3 at 12:33












up vote
0
down vote










up vote
0
down vote









If you've installed Debian on a Dell or HP server - Dell has iDrac and HP has ILO, both of these have web based virtual consoles which would allow you interact with the machine while booting.






share|improve this answer













If you've installed Debian on a Dell or HP server - Dell has iDrac and HP has ILO, both of these have web based virtual consoles which would allow you interact with the machine while booting.







share|improve this answer













share|improve this answer



share|improve this answer











answered May 3 at 0:06









bk201

2715




2715











  • My HP is too old to have ILO unfortunately, thanks for suggestion though.
    – user2363676
    May 3 at 12:33
















  • My HP is too old to have ILO unfortunately, thanks for suggestion though.
    – user2363676
    May 3 at 12:33















My HP is too old to have ILO unfortunately, thanks for suggestion though.
– user2363676
May 3 at 12:33




My HP is too old to have ILO unfortunately, thanks for suggestion though.
– user2363676
May 3 at 12:33












 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440586%2fturning-encrypted-system-on-remotely%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?