5

Does a tool/method exist which allows encrypting a Windows 7 system volume while providing the possibility to remotely unlock it via ssh during the boot phase? Is it even possible with Windows 7 (I guess it should be)?

On linux, a LUKS encrypted rootfs can be unlocked via ssh during the boot phase (also see /usr/share/doc/cryptsetup/README.remote.gz on Debian).

The DiskCryptor project comes with a powerful bootloader which allows booting an encrypted system volume by unlocking it via USB or LAN (automatically providing the previously hard-coded password). However, I found no possibility to enter the required unlocking password over a ssh connection and I absolutely don't want to hard-code the password somewhere (not even in my (hopefully) secure LAN).

Therefore, a similar solution to the LUKS approach most probably involves a separate unencrypted boot partition with an ssh server and some boot magic which handles the unlocking and allows chain-loading the encrypted system partition with Windows 7.

Does anything like this exist or is being developed?

Improve this question
12
  • 1
    What product did you use to encrypt the disk? You describe Linux parallels instead of describing what you did with Windows. There is not enough info here for a useful answer.
    – harrymc
    Commented Jul 24, 2012 at 5:50
  • @harrymc I'm not asking for a specific solution e.g. using TrueCrypt. I'm just asking for anything that would allow windows system volume encryption as well as remote unlocking via ssh. Perhaps another fork of TrueCrypt or FreeOTFE or whatever - I would gladly use it and encrypt my system volume with it. I used the LUKS example to show that such solutions exist, at least for linux. (I edited the question for clarification)
    – speakr
    Commented Jul 24, 2012 at 9:14
  • 1
    One solution might be to convert Windows 7 into a virtual machine inside Linux.
    – harrymc
    Commented Jul 24, 2012 at 9:35
  • 2
    I just found this question which mentions kexec. This could be the holy grail: Booting into a LUKS-encrypted linux by unlocking it via ssh, then using kexec to directly boot a TrueCrypt-encrypted windows system volume from there using the TrueCrypt rescue disk. I'll try that. :)
    – speakr
    Commented Jul 24, 2012 at 14:26
  • 1
    @climenole PsExec can only be used to execute applications on an already booted windows system. Therefore, it is no solution for my scenario.
    – speakr
    Commented Jul 26, 2012 at 7:29

2 Answers 2

Reset to default
1

I finally found an inexpensive solution to this problem by turning a Raspberry Pi Zero W into a remotely accessible USB keyboard.

Steps:

  1. Remotely start the computer with the encrypted Windows system partition using Wake on LAN
  2. Use SSH to remotely access the Pi that is connected to the computer via USB
  3. Send the passphrase to unlock the encrypted Windows partition from the Pi to the computer via USB
  4. Continue booting

This works flawlessly e.g. with a Windows 10 system partition encrypted with VeraCrypt.

Improve this answer
0

The only way to achieve this is to buy network KVM adapter, which can be quite expensive depending on which one you choose. Similar to most BIOS-es, you can't remotely access it unless you have a networked KVM which will essentially put your keyboard, mouse and monitor on the network.

For this example, I will use the bootloader from Truecrypt:

The bootloader is supposed to do one thing (and one thing ONLY) and that is to decrypt your Windows system partition so that the decrypted form of Windows could start booting. For this reason, the bootloader is EXTREMELY lightweight to speed up the time it takes from the power button is pressed to the bootloader screen where it asks for your password for decryption. Therefore, any SSH implementation to the bootloader is unrealistic.

Improve this answer
2
  • Yes, ssh for a bootloader may be too much overhead; nevertheless the LUKS way works fine. I don't need a powerful all-in-one bootloader, I just need something that works with Windows like LUKS does with Linux.
    – speakr
    Commented Aug 18, 2012 at 15:36
  • I disagree about a network KVM-adapter being teh only possibility for achieving the OPs result. Using VirtualBox or VMWare for hosting the Windows installation inside a minimal linux dist would probably be the way I'd solve this issue since this gives you access to the system console even during the boot process. It doesn't have to be a large dist however. You could strip it down to just some kind of X and an autoloader for virtualbox/vmware. However, the security of this dist should also be considered since OPs way in might become a source to future security breaches.
    – simme
    Commented Aug 21, 2012 at 5:31

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .