Em 05-03-2014 17:30, Ted Unangst escreveu:
> On Wed, Mar 05, 2014 at 16:15, Giancarlo Razzolini wrote:
>> Hi,
>>
>> I have one linux server that has full disk encryption, and I use
>> it's initramfs with dropbear to be able to remote unlock the encrypted
>> root partition.
>>
>> From what I read from the OpenBSD documentation, this is not
>> possible now. I want some guidance for what areas of code I would need
>> to modify, to accomplish the same. I know it would involve lots of
>> hacking with boot(8), with the kernel itself, and perhaps more. Also, I
>> want to know how hard you guys think it would be.
> I'm aware of some issues in this area.
>
> You probably need to modify boot to default to serial console. The
> normal approach, taken by the installer, is to use boot.conf, but of
> course that's not readable before the disk is decrypted. This is
> assuming you will use serial console to provide the password instead
> of regular keyboard.
>
> If you want to provide the password over the network, I think that's
> going to be way more work. pxeboot may be a place to start, but I
> don't think you'll like where that leads and it won't be very secure
> either.
>
> Or get a server that supports some sort of kvm/console over IP.
Ted,
Thank you for your reply. I am tending for the generic solution for
unlocking it via network. Not using console nor any hardware assist. On
linux, using initramfs + busybox + dropbear + some other hacks, it works
quite well and secure, since you unlock it through ssh.
I took a look at pxeboot, but I don't think it will work. I know it
is a chicken-egg problem, but I want to take a shot at it. Just would
like some guidance, where to start. I know that maybe it would need some
approach in the lines of initramfs, but I would avoid it as much as I
can, if possible. I think a unencrypted partition/disklabel with
boot.conf and the kernel, plus some hack with boot itself to initialize
the network device, and configure it's ip address would be more
interesting. Or even just boot.conf on the partition. This would require
that boot(8) would do most of the work, even a small sshd
implementation. Any ideas?
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
