Is there a way to automatically unlock a LUKS drive at boot time with the key-file being stored on a remote machine.
The idea is to make sure servers may restart without any user input. Servers are on a public cloud and I can't encrypt the root partition. Leaving the key-file on the machine would simply defeat the purpose of encryption.
Hence the idea to have the key file in a remote machine connecting via a secure channel like ssh.
Mandos seems to do what I'm after but I've got two questions on it.
– All the documentation refers to the root file systems. Can it work with any drive?
– The documentation states that it only works on an intranet, would that work if the local and remote servers connects via a VPN?
Is it the best solution? the only solution?
Best Answer
tang and clevis can achieve that even with encrypted root partition on CentOS 7 (and I personally use it to automate boot on my home network and at work). Have a look and check if it plugs into your VM.