Diferència entre revisions de la pàgina «How to unlock LUKS root via SSH»
(First translation) |
|||
| Línia 34: | Línia 34: | ||
* Instruction to give (with the example data) when the encrypted system waits for the passphrase (large line): | * Instruction to give (with the example data) when the encrypted system waits for the passphrase (large line): | ||
| − | ssh -o "UserKnownHostsFile=/root/.ssh/known_hosts.initramfs" -i "/root/.ssh/encrypted.example.net_initramfs-rsa" root@encrypted.example.net "echo -ne \"1234\" >/lib/cryptsetup/passfifo ; | + | ssh -o "UserKnownHostsFile=/root/.ssh/known_hosts.initramfs" -i "/root/.ssh/encrypted.example.net_initramfs-rsa" root@encrypted.example.net "echo -ne \"1234\" >/lib/cryptsetup/passfifo ; ip addr flush dev eth0 &" |
(Example with password 1234, and that deconfigures the net of the encrypted system to not interferes in the normal system) | (Example with password 1234, and that deconfigures the net of the encrypted system to not interferes in the normal system) | ||
== Other sources == | == Other sources == | ||
* [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt Kernel command line] (values for the network configuration) | * [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt Kernel command line] (values for the network configuration) | ||
Revisió de 12:53, 16 nov 2013
Català - Castellano - English
Introduction: This is a simple guide to give access to the net, to introduce the passphrase (password) in the boot of a system already encrypted including the root. In this way is not a requirement to go in person to write it with the keyboard.
Notes:
- Tested with Debian GNU/Linux 7 (wheezy), but the method should work with older versions and other GNU distributions with Linux.
- It's important to consider that, having the kernel with the decrypter in a non-encrypted partition, is a weak point. The most secure method is to have ALL the hard disk encrypted, and then boot in person with an external memory (such as /boot in a pendrive) and, when having unlocked the system, take that memory with the software intact in our hands.
Contingut
Prepare the remote LUKS unlocking
From the encrypted system
- Install the software for the SSH service and Shell commands interpreter:
apt-get install dropbear busybox
- Configure the net to the kernel boot stage, setting this variable at the file /etc/default/grub
GRUB_CMDLINE_LINUX="ip=192.168.1.33::192.168.1.1:255.255.255.0::eth0:none"
(Example for an IP address 192.168.1.33, gateway 192.168.1.1 and net device eth0)
- Update boot manager with the new data for the kernel:
update-grub
- Copy the special entry certificate to the remote computer, from which you will ask for unlocking:
scp -P 22 /etc/initramfs-tools/root/.ssh/initramfs_rsa RemoteUser@RemoteComputer:/home/RemoteUser/encrypted.example.net_initramfs-rsa
(Example with RemoteUser of the IP RemoteComputer and labelling the server as encrypted.example.net)
In the remote system
(computer from where you want to send the unlocking command)
- (optional) For security, move the certificate to the superuser profile (root):
mkdir -p /root/.ssh mv ~/*_initramfs-rsa /root/.ssh/
- Instruction to give (with the example data) when the encrypted system waits for the passphrase (large line):
ssh -o "UserKnownHostsFile=/root/.ssh/known_hosts.initramfs" -i "/root/.ssh/encrypted.example.net_initramfs-rsa" root@encrypted.example.net "echo -ne \"1234\" >/lib/cryptsetup/passfifo ; ip addr flush dev eth0 &"
(Example with password 1234, and that deconfigures the net of the encrypted system to not interferes in the normal system)
Other sources
- Kernel command line (values for the network configuration)
