10

Are there any standard solutions to rebooting an encrypted system remotely without requiring a password on the next boot?

The system in question is an Ubuntu encrypted with LUKS root partition and an unencrypted boot partition.

The only way I can imagine is to add a randomly generated second key that is based on a file resting on the boot partition and removing it with a start script on system boot.

Would the above approach work? Or is there a default option that does not require a manual approach?

The only security implication I can think of is that in case the system does fail the boot before starting the first services.

Elmar Weber
  • 492
  • 1
  • 7
  • 18

1 Answers1

3

You could setup an initrd with a minimal sshd in it (dropbear comes to mind), and then connect to it and input the password manually. Or you could look into Mandos. Keep in mind that if someone has physical access to your server, and can replace the boot code without you noticing, then you are game over no matter what

miniBill
  • 248
  • 2
  • 12
  • I like the SSH solution, although that probably requires a lot of tinkering. Mandos is not an option for my setup, since I just have one machine at home. However, I'm not home most of the time and updates, etc. (i.e. me screwing things up =) require a restart at those times as well. – Elmar Weber Jun 14 '12 at 11:51
  • Ah, look here, adding ssh to my queries I'm getting results of people having the same problem: http://www.howtoforge.com/unlock-a-luks-encrypted-root-partition-via-ssh-on-ubuntu – Elmar Weber Jun 14 '12 at 11:53
  • That howto also kindly explains the two main possible attacks. Looking at the comments it looks like Ubuntu does something like that by default since 10.04? – miniBill Jun 14 '12 at 15:04
  • Yes, Ubuntu 11 + 12 has most of the stuff integrated, I just tried it successfully with the following instructions: http://www.thomas-krenn.com/de/wiki/Voll-verschl%C3%BCsseltes-System_via_SSH_freischalten They are in German but should be understandable with Google Translate or sth. like that. The described problems and bugs in the scripts also apply to the newest (12) Ubuntu version. – Elmar Weber Jul 05 '12 at 00:13