0

I have been looking online for a solution that will allow me to automatically unlock an ubuntu 16.04 LTS machine with FDE (including the root partition). I have found a lot of guides that allow a remote unlock using dropbear. The idea there would be to allow a user to SSH into that machine to securely transfer a passphrase. What I want is the inverse and involves no SSH server on the machine trying to mount the encrypted partition.

What I would like is for when I am in initramfs and it is about to try to mount the encrypted partitions that it initiates an SSH session (such as grabs a file using scp) to get the passphrase. I would have a trusted machine that hands out the passphrases over the network. I can't seem to find information on a initramfs module or script to do such. Of course, it would be further great if it would try to grab that file, but if it wasn't available it just defaulted to grabbing console input. It seems that if someone got an SSH server running on initramfs it stands to follow there is some SCP-like client available, but I can't find anyone out there doing this.

In case noone has any ideas, what I am trying to protect against is someone stealing my machine wholesale, but still allow automatic reboots. I just want to store keys in another machine in a remote location that is unlikely to be simultaneously stolen and use a form of secure transmission to get those keys to boot.

Thanks in advance.

Foghorn
  • 103
  • Possible duplicate of How can one unlock a fully encrypted Ubuntu 11.10 system over SSH at boot? – David Foerster Jun 25 '17 at 14:08
  • I appreciate the comment, but I think that is still where the booting machine is opening an ssh server and waiting for a connection to it. I am looking for the booting machine to reach out to an external SSH server to retrieve a secret. – Foghorn Jun 25 '17 at 14:36
  • Uhm, that seems like a really odd, unnecessarily complex and ultimately ineffective security scheme. If another machine can authorise the machine in question via public key authentication, so could an attacker with physical access to it which renders the disk encryption moot. – David Foerster Jun 25 '17 at 14:44
  • I described my ultimate goal if you feel it is 'ultimately ineffective'. I am looking for ideas where I could endure a loss of the hardware and allow automatic reboots of the machines. – Foghorn Jun 25 '17 at 14:51
  • If you're interested to find a security scheme that's actually useful for your scenario and threat model you might want to ask a question over on [Security.SE]. There's probably no readily available support for what you're trying to do because it has no benefit (as far as I can see) and a custom solution would be complex enough that most potential answerers would shy away. – David Foerster Jun 25 '17 at 15:08

1 Answers1

1

I've put together a fairly simple keyscript for retrieving keys over HTTPS. I was trying to solve the same problem I believe you are - securing a machine against untargeted theft while still allowing unattended reboots.

The key is stored encrypted on the other server, and you can configure basic authentication fairly easily - none of this particularly helps of course once someone's stolen the relevant machine! You'll still have to manually respond to the theft quickly by making the keys unavailable.

(I've also made my HTTP server limit access using GeoIP and my ISPs IP ranges, which might provide some protection if I'm lucky.)

Encrypting the key in my arrangement probably doesn't provide much benefit, I have to admit. (But it doesn't make things much more complicated.)

mandos is an attempt to solve a similar problem but tries to ensure that keys will be made unavailable quickly and automatically if a machine appears to have been stolen. This means it requires assumptions about downtime and a slightly more convoluted infrastructure.

stupidpupil
  • 46