Remotely enter encryption key?

Question

This might be a really dumb question but here goes, anyway.

I just bought a couple servers. I already installed Ubuntu with encrypted LVM on one and I'm planning on doing the same with the other. This means that every time I boot up each of these machines, I have to enter the passphrase. And I'll have to do this every morning because I'll power each machine off each night for security reasons.

Here's the problem: I don't have monitors or keyboards for these servers. It seems to me I have two options:

1. Somehow enter the passphrase remotely
2. Buy a KVM switch

I doubt #1 is an option but I want to make sure it's not before I buy a KVM. Is it possible to enter the passphrase remotely? AND is it a good idea?

Answer 1

If your servers support IPMI 2.0 SOL (Serial-over-LAN), you may be able to use ipmiconsole or a similar utility to get a serial console on your machine. Once you have that working, it's not a big step to get keyboard input sent to your virtual serial port. Your OS may require some additional configuration to use the serial console.

As for whether it's a good idea, well, there's no catch-all answer to that. It depends on what you're trying to secure and what you're trying to accomplish by doing so. In almost every case I've seen, full-disk encryption of a server is complete overkill because it does not protect you against a single thing besides a physical break-in. Most intrusions/hacks, for obvious reasons, occur against servers that are powered on, not ones that are powered off.

Answer 2

One possible option would be to redo it so that the base system (/ /usr /etc /lib and such... the things that are the same on all the Linux systems) are unencrypted, with your actual data to protect in a separate LV that is encrypted. Then, the system should be able to boot to a state where you can log in remotely and mount the encrypted partition and provide the password at that time.

This is the option I take with my database servers, with an encryptd partition for just the database, which is set to not start on boot so I can log in and mount the partition and start the database.

Answer 3

Maybe you want to use a USB token for that purpose? Of course, this would shift the security from network to physical. I am sure you know that you can't achieve total security, but you have to compromise.

One piece of advice: habits lead to letting your guard down, which leads to being more prone to slips and small mistakes, which leads to the dark side and eventually to relying on a false sense of security.

I highly recommend not relying on a massive one-security-for-everything, but instead on small modular plugins that can give you more fine-grained control. For example: encrypted LVM is ok, but use a USB token as key for booting the system. Then only mount the partitions you actually need (and have them encrypted with different keys), maybe even entering the keys remotely or (better!) have a card reader use something you carry with you all the time to authenticate you and prevent replying attacks. Rely on good patching and on redundant security systems more than a on single firewall or a single 'solution' (i.e. install two redundant firewalls on different machines, and keep one invisible by doing transparent bridging). Keep one system offline and compare checksum at random intervals (days, weeks, hours, etc). And so on.

If you want quick and dirty security forget about the 'security' part.

Answer 4

This may not have been possible when the question was originally asked, but it is now possible to set up your initrd to let you enter the passphrase via ssh.

Based on this guide for Ubuntu - http://blog.nguyenvq.com/2011/09/13/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu/ - I was able to set up several of my Debian servers to let me unlock them remotely.