Turning encrypted system on remotely
Clash Royale CLAN TAG#URR8PPP
up vote
11
down vote
favorite
My system is full of very sensitive data, so I need to encrypt as much of it as possible.
I have an encrypted Debian installation which asks for a long password every time during boot.
Is there a simple way to set it up so that I can input that password remotely?
If some other distribution can do it, I don't mind installing something else instead of Debian.
debian remote luks
add a comment |Â
up vote
11
down vote
favorite
My system is full of very sensitive data, so I need to encrypt as much of it as possible.
I have an encrypted Debian installation which asks for a long password every time during boot.
Is there a simple way to set it up so that I can input that password remotely?
If some other distribution can do it, I don't mind installing something else instead of Debian.
debian remote luks
2
What kind of attack vector are you worried about? Is a hardware key store (where the private key can't be extracted by software, but anyone possessing that piece of hardware could decrypt your content) appropriate? (BTW, note that many full-disk encryption systems unlock a master key when you engage them, and then store that key in RAM -- meaning anyone with sufficient privileges can potentially copy that master key out from the unlocked system, even if they don't ever get your password; this is a place where having the actual decryption happen in hardware can be safer).
â Charles Duffy
Apr 28 at 17:21
@CharlesDuffy Main concern is server(or its disks) being physically stolen, so hardware key is out of the question, since it can be stolen as well. I specifically set 40+ symbol file system passphrase and 20+ symbol root password(who is the only user in the whole system), so I should be safe in most cases, right?
â user2363676
May 3 at 12:29
1
Removed and stolen, or are you worried about an attacker getting physical access while the hardware is still powered up? If someone can hotplug new devices onto the PCI bus they can make a copy of physical memory, so they can steal the encryption key out of a running, unlocked system. (They can't steal the password used to encrypt the key, but if you have the key itself, that's irrelevant).
â Charles Duffy
May 3 at 14:57
1
Another attack vector is for someone to modify the boot sequence to make a copy of the password during the decrypt/unlock process, reboot your machine, and then wait for you to log in and unlock it (thus letting the code they added store a copy of the password out-of-band) before stealing the hardware. Coming up with comprehensive threat models (and mitigating against them) gets tricky sometimes. (I see madscientist159 already pointed that possibility out).
â Charles Duffy
May 3 at 14:58
add a comment |Â
up vote
11
down vote
favorite
up vote
11
down vote
favorite
My system is full of very sensitive data, so I need to encrypt as much of it as possible.
I have an encrypted Debian installation which asks for a long password every time during boot.
Is there a simple way to set it up so that I can input that password remotely?
If some other distribution can do it, I don't mind installing something else instead of Debian.
debian remote luks
My system is full of very sensitive data, so I need to encrypt as much of it as possible.
I have an encrypted Debian installation which asks for a long password every time during boot.
Is there a simple way to set it up so that I can input that password remotely?
If some other distribution can do it, I don't mind installing something else instead of Debian.
debian remote luks
edited Apr 29 at 13:23
Jeff Schaller
31.1k846105
31.1k846105
asked Apr 28 at 15:10
user2363676
584
584
2
What kind of attack vector are you worried about? Is a hardware key store (where the private key can't be extracted by software, but anyone possessing that piece of hardware could decrypt your content) appropriate? (BTW, note that many full-disk encryption systems unlock a master key when you engage them, and then store that key in RAM -- meaning anyone with sufficient privileges can potentially copy that master key out from the unlocked system, even if they don't ever get your password; this is a place where having the actual decryption happen in hardware can be safer).
â Charles Duffy
Apr 28 at 17:21
@CharlesDuffy Main concern is server(or its disks) being physically stolen, so hardware key is out of the question, since it can be stolen as well. I specifically set 40+ symbol file system passphrase and 20+ symbol root password(who is the only user in the whole system), so I should be safe in most cases, right?
â user2363676
May 3 at 12:29
1
Removed and stolen, or are you worried about an attacker getting physical access while the hardware is still powered up? If someone can hotplug new devices onto the PCI bus they can make a copy of physical memory, so they can steal the encryption key out of a running, unlocked system. (They can't steal the password used to encrypt the key, but if you have the key itself, that's irrelevant).
â Charles Duffy
May 3 at 14:57
1
Another attack vector is for someone to modify the boot sequence to make a copy of the password during the decrypt/unlock process, reboot your machine, and then wait for you to log in and unlock it (thus letting the code they added store a copy of the password out-of-band) before stealing the hardware. Coming up with comprehensive threat models (and mitigating against them) gets tricky sometimes. (I see madscientist159 already pointed that possibility out).
â Charles Duffy
May 3 at 14:58
add a comment |Â
2
What kind of attack vector are you worried about? Is a hardware key store (where the private key can't be extracted by software, but anyone possessing that piece of hardware could decrypt your content) appropriate? (BTW, note that many full-disk encryption systems unlock a master key when you engage them, and then store that key in RAM -- meaning anyone with sufficient privileges can potentially copy that master key out from the unlocked system, even if they don't ever get your password; this is a place where having the actual decryption happen in hardware can be safer).
â Charles Duffy
Apr 28 at 17:21
@CharlesDuffy Main concern is server(or its disks) being physically stolen, so hardware key is out of the question, since it can be stolen as well. I specifically set 40+ symbol file system passphrase and 20+ symbol root password(who is the only user in the whole system), so I should be safe in most cases, right?
â user2363676
May 3 at 12:29
1
Removed and stolen, or are you worried about an attacker getting physical access while the hardware is still powered up? If someone can hotplug new devices onto the PCI bus they can make a copy of physical memory, so they can steal the encryption key out of a running, unlocked system. (They can't steal the password used to encrypt the key, but if you have the key itself, that's irrelevant).
â Charles Duffy
May 3 at 14:57
1
Another attack vector is for someone to modify the boot sequence to make a copy of the password during the decrypt/unlock process, reboot your machine, and then wait for you to log in and unlock it (thus letting the code they added store a copy of the password out-of-band) before stealing the hardware. Coming up with comprehensive threat models (and mitigating against them) gets tricky sometimes. (I see madscientist159 already pointed that possibility out).
â Charles Duffy
May 3 at 14:58
2
2
What kind of attack vector are you worried about? Is a hardware key store (where the private key can't be extracted by software, but anyone possessing that piece of hardware could decrypt your content) appropriate? (BTW, note that many full-disk encryption systems unlock a master key when you engage them, and then store that key in RAM -- meaning anyone with sufficient privileges can potentially copy that master key out from the unlocked system, even if they don't ever get your password; this is a place where having the actual decryption happen in hardware can be safer).
â Charles Duffy
Apr 28 at 17:21
What kind of attack vector are you worried about? Is a hardware key store (where the private key can't be extracted by software, but anyone possessing that piece of hardware could decrypt your content) appropriate? (BTW, note that many full-disk encryption systems unlock a master key when you engage them, and then store that key in RAM -- meaning anyone with sufficient privileges can potentially copy that master key out from the unlocked system, even if they don't ever get your password; this is a place where having the actual decryption happen in hardware can be safer).
â Charles Duffy
Apr 28 at 17:21
@CharlesDuffy Main concern is server(or its disks) being physically stolen, so hardware key is out of the question, since it can be stolen as well. I specifically set 40+ symbol file system passphrase and 20+ symbol root password(who is the only user in the whole system), so I should be safe in most cases, right?
â user2363676
May 3 at 12:29
@CharlesDuffy Main concern is server(or its disks) being physically stolen, so hardware key is out of the question, since it can be stolen as well. I specifically set 40+ symbol file system passphrase and 20+ symbol root password(who is the only user in the whole system), so I should be safe in most cases, right?
â user2363676
May 3 at 12:29
1
1
Removed and stolen, or are you worried about an attacker getting physical access while the hardware is still powered up? If someone can hotplug new devices onto the PCI bus they can make a copy of physical memory, so they can steal the encryption key out of a running, unlocked system. (They can't steal the password used to encrypt the key, but if you have the key itself, that's irrelevant).
â Charles Duffy
May 3 at 14:57
Removed and stolen, or are you worried about an attacker getting physical access while the hardware is still powered up? If someone can hotplug new devices onto the PCI bus they can make a copy of physical memory, so they can steal the encryption key out of a running, unlocked system. (They can't steal the password used to encrypt the key, but if you have the key itself, that's irrelevant).
â Charles Duffy
May 3 at 14:57
1
1
Another attack vector is for someone to modify the boot sequence to make a copy of the password during the decrypt/unlock process, reboot your machine, and then wait for you to log in and unlock it (thus letting the code they added store a copy of the password out-of-band) before stealing the hardware. Coming up with comprehensive threat models (and mitigating against them) gets tricky sometimes. (I see madscientist159 already pointed that possibility out).
â Charles Duffy
May 3 at 14:58
Another attack vector is for someone to modify the boot sequence to make a copy of the password during the decrypt/unlock process, reboot your machine, and then wait for you to log in and unlock it (thus letting the code they added store a copy of the password out-of-band) before stealing the hardware. Coming up with comprehensive threat models (and mitigating against them) gets tricky sometimes. (I see madscientist159 already pointed that possibility out).
â Charles Duffy
May 3 at 14:58
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
16
down vote
accepted
You can enable this by installing dropbear-initramfs
and following the instructions to configure your SSH keys. This will start an SSH server from the initramfs, allowing you to connect remotely and enter your encryption passphrase.
3
Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
â madscientist159
Apr 29 at 4:32
add a comment |Â
up vote
0
down vote
If you've installed Debian on a Dell or HP server - Dell has iDrac and HP has ILO, both of these have web based virtual consoles which would allow you interact with the machine while booting.
My HP is too old to have ILO unfortunately, thanks for suggestion though.
â user2363676
May 3 at 12:33
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
16
down vote
accepted
You can enable this by installing dropbear-initramfs
and following the instructions to configure your SSH keys. This will start an SSH server from the initramfs, allowing you to connect remotely and enter your encryption passphrase.
3
Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
â madscientist159
Apr 29 at 4:32
add a comment |Â
up vote
16
down vote
accepted
You can enable this by installing dropbear-initramfs
and following the instructions to configure your SSH keys. This will start an SSH server from the initramfs, allowing you to connect remotely and enter your encryption passphrase.
3
Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
â madscientist159
Apr 29 at 4:32
add a comment |Â
up vote
16
down vote
accepted
up vote
16
down vote
accepted
You can enable this by installing dropbear-initramfs
and following the instructions to configure your SSH keys. This will start an SSH server from the initramfs, allowing you to connect remotely and enter your encryption passphrase.
You can enable this by installing dropbear-initramfs
and following the instructions to configure your SSH keys. This will start an SSH server from the initramfs, allowing you to connect remotely and enter your encryption passphrase.
answered Apr 28 at 15:29
Stephen Kitt
140k22302363
140k22302363
3
Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
â madscientist159
Apr 29 at 4:32
add a comment |Â
3
Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
â madscientist159
Apr 29 at 4:32
3
3
Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
â madscientist159
Apr 29 at 4:32
Be aware that anyone with physical access to the machine can replace your initramfs with their own, malicious version, extract your SSH private key for a MITM attack, and various other forms of nastiness. At minimum you should be looking at a TPM, if not more advanced security technology, if there is any chance of the box being physically accessed by a malicious actor.
â madscientist159
Apr 29 at 4:32
add a comment |Â
up vote
0
down vote
If you've installed Debian on a Dell or HP server - Dell has iDrac and HP has ILO, both of these have web based virtual consoles which would allow you interact with the machine while booting.
My HP is too old to have ILO unfortunately, thanks for suggestion though.
â user2363676
May 3 at 12:33
add a comment |Â
up vote
0
down vote
If you've installed Debian on a Dell or HP server - Dell has iDrac and HP has ILO, both of these have web based virtual consoles which would allow you interact with the machine while booting.
My HP is too old to have ILO unfortunately, thanks for suggestion though.
â user2363676
May 3 at 12:33
add a comment |Â
up vote
0
down vote
up vote
0
down vote
If you've installed Debian on a Dell or HP server - Dell has iDrac and HP has ILO, both of these have web based virtual consoles which would allow you interact with the machine while booting.
If you've installed Debian on a Dell or HP server - Dell has iDrac and HP has ILO, both of these have web based virtual consoles which would allow you interact with the machine while booting.
answered May 3 at 0:06
bk201
2715
2715
My HP is too old to have ILO unfortunately, thanks for suggestion though.
â user2363676
May 3 at 12:33
add a comment |Â
My HP is too old to have ILO unfortunately, thanks for suggestion though.
â user2363676
May 3 at 12:33
My HP is too old to have ILO unfortunately, thanks for suggestion though.
â user2363676
May 3 at 12:33
My HP is too old to have ILO unfortunately, thanks for suggestion though.
â user2363676
May 3 at 12:33
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440586%2fturning-encrypted-system-on-remotely%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
2
What kind of attack vector are you worried about? Is a hardware key store (where the private key can't be extracted by software, but anyone possessing that piece of hardware could decrypt your content) appropriate? (BTW, note that many full-disk encryption systems unlock a master key when you engage them, and then store that key in RAM -- meaning anyone with sufficient privileges can potentially copy that master key out from the unlocked system, even if they don't ever get your password; this is a place where having the actual decryption happen in hardware can be safer).
â Charles Duffy
Apr 28 at 17:21
@CharlesDuffy Main concern is server(or its disks) being physically stolen, so hardware key is out of the question, since it can be stolen as well. I specifically set 40+ symbol file system passphrase and 20+ symbol root password(who is the only user in the whole system), so I should be safe in most cases, right?
â user2363676
May 3 at 12:29
1
Removed and stolen, or are you worried about an attacker getting physical access while the hardware is still powered up? If someone can hotplug new devices onto the PCI bus they can make a copy of physical memory, so they can steal the encryption key out of a running, unlocked system. (They can't steal the password used to encrypt the key, but if you have the key itself, that's irrelevant).
â Charles Duffy
May 3 at 14:57
1
Another attack vector is for someone to modify the boot sequence to make a copy of the password during the decrypt/unlock process, reboot your machine, and then wait for you to log in and unlock it (thus letting the code they added store a copy of the password out-of-band) before stealing the hardware. Coming up with comprehensive threat models (and mitigating against them) gets tricky sometimes. (I see madscientist159 already pointed that possibility out).
â Charles Duffy
May 3 at 14:58