Linux – Reboot Encrypted System Remotely Without Password Query

encryptionlinux

Are there any standard solutions to rebooting an encrypted system remotely without requiring a password on the next boot?

The system in question is an Ubuntu encrypted with LUKS root partition and an unencrypted boot partition.

The only way I can imagine is to add a randomly generated second key that is based on a file resting on the boot partition and removing it with a start script on system boot.

Would the above approach work?
Or is there a default option that does not require a manual approach?

The only security implication I can think of is that in case the system does fail the boot before starting the first services.

Best Answer

You could setup an initrd with a minimal sshd in it (dropbear comes to mind), and then connect to it and input the password manually. Or you could look into Mandos. Keep in mind that if someone has physical access to your server, and can replace the boot code without you noticing, then you are game over no matter what

Related Solutions

Linux – repair partition table

Not too tricky. Hopefully.

First of all, note the size and order of all your partitions on /dev/sda:

challenger:/home/michael # grep . /sys/block/sda/sda*/{start,size}
/sys/block/sda/sda1/start:63
/sys/block/sda/sda2/start:228690000
/sys/block/sda/sda3/start:257040
/sys/block/sda/sda1/size:256977
/sys/block/sda/sda2/size:83885760
/sys/block/sda/sda3/size:228432960

Run fdisk on /dev/sda and change the units to sectors:

Command (m for help): u
Changing display/entry units to sectors

Then start making partitions. Use the appropriate numbers start and size for each partition.
Avoid an off-by-one error - subtract one from size before typing it into fdisk.

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First sector (63-312581807, default 63): 
Using default value 63
Last sector, +sectors or +size{K,M,G} (63-312581807, default 312581807): +256976

Command (m for help): p

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders, total 312581808 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x02b002af

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1              63      257039      128488+  83  Linux

Don't forget to set your partition IDs and toggle the boot flag on the right partition

Now re-install your MBR and you should be ready to go.

Naturally you can do all this using your favorite partition editor... parted works just fine as well.

If you've lost the information regarding start/end of partitions - parted has 'rescue' options to search the disk for lost partitions. But you shouldn't need those.

Linux – How to create a randomly keyed, encrypted swap partition, referring to it “by-uuid”, on Debian

Every time cryptsetup recreates the encrypted swap partition at boot time it generates a new UUID for it! Doh!

In /etc/crypttab, use /dev/disk/by-id instead of /dev/disk/by-UUID to refer to your swap partition. For example, your /etc/fstab entry for swap might be

#<file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/cswap none swap sw 0 0

Then the correct corresponding entry in /etc/crypttab would be something like

# <name> <device> <password> <options>
cswap /dev/disk/by-id/ata-SAMSUNG_SSD_830_Series_S0XYNEAC762041-part5 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256

Notice that the device above is referred to by /dev/disk/by-id which you can find out for your drive by typing the following at the CLI:

ls -lF /dev/disk/by-id

Best Answer

Related Solutions

Linux – repair partition table

Linux – How to create a randomly keyed, encrypted swap partition, referring to it “by-uuid”, on Debian

Related Topic