0

Is it possible on Linux (Debian 6) to use full disk encryption and passwordless SSH?

From what I can tell, you can encrypt a /home folder and use symbolic links to authorized_keys to make passwordless ssh work, but we'd prefer to encrypt the whole schmear (RAID1, LVM, /boot not encrypted, remaining LVM encrypted).

FYI - we are not taking about a "headless" server, so we are fine with putting in the encryption password on boot. Rather, want to be able to ssh into the machine remotely once it's up.

Our guess is this may not be possible, but any suggestions (or links) appreciated!

Thanks!

madog
  • 51
  • 2
  • 4

2 Answers2

2

SSH is for on-the-wire encryption, not filesystem encryption. It's a direct replacement for telnet.

For filesystem encryption, look at LUKS. There are plenty of tutorials on the web, but here's one on the Debian Administration site.

As @MichaelHampton points out, you can also setup filesystem encryption from the Debian installer. The installation guide explains about this.

James O'Gorman
  • 5,329
  • 2
  • 24
  • 28
  • You don't need to do that anymore, beginning with squeeze you can set up full disk encryption right from debian-installer. – Michael Hampton Jan 07 '13 at 17:57
  • Interesting, thanks. I wasn't aware of that (not having used Debian for a while). I assume it's still fairly manual for existing Squeeze systems, though? – James O'Gorman Jan 07 '13 at 17:58
  • Thanks for comment...may not have written post clearly. We are trying to encrypt disks fully, and then connect to them with ssh without having to enter a password. So have encrypted the disks, can connect with ssh, but have to enter password. It is this last piece we're trying to figure out. Are looking at some points re: using busybox and dropbear.... – madog Jan 07 '13 at 18:10
  • @senrabdet Full disk encryption has nothing to do with your passwordless ssh. Perhaps you should look at that issue instead? – Michael Hampton Jan 07 '13 at 18:12
  • @senrabdet Might be a good idea to reword your question to that effect. It's not all that clear. As for password prompts, it's likely a permissions issue. Please update the question with output of `ssh -vv `, `ls -ld /home`, the same for the user's home directory, and `ls -al` of the user's `.ssh` directory. – James O'Gorman Jan 07 '13 at 18:13
  • OK thanks, will double check...is asking us for password now whereas wasn't before we did re-install with encrypted disks, but will look at permissions again as know you're right that can cause authentication issues... – madog Jan 07 '13 at 18:27
  • James you were right....re-created keys, did permissions and voila. Big help, as we were down the wrong rabbit hole. Thx! – madog Jan 07 '13 at 20:22
0

Probably not the answer you're looking for, but if this were set up to authenticate against a Kerberos server with properly configured pam_krb5, you'd effectively get passwordless ssh (...okay, after you authenticate once) with another server controlling the access.

This would be useful if you need to manage accounts for multiple users, but if you only plan to have a single management account with a "jump box" to connect to it this is probably overkill.

Andrew B
  • 32,588
  • 12
  • 93
  • 131
  • Thanks Andrew....will give it a think, but am pretty sure we have to use ssh per other requirements... – madog Jan 07 '13 at 18:11