0

I'm setting up some secure Ubuntu servers with full disk encryption. They have a small boot partition, and a large LUKS-encrypted disk with LVM to provide the rest of the partitions. Currently, they are configured to require a passphrase at boot. However, I was wondering if there was a way for them to get their decryption key from a TFTP server, NFS share, or similar, which would allow me to reboot my servers without the need for console access. I would still encrypt the key server and require console access and a passphrase to boot that, but I would then only have to deal with entering a passphrase for one box versus what will likely become 20 encrypted servers.

As this is all be in a virtual environment, I would create a completely separate network for key traffic that has no link to the rest of my network. It's still risky, yes, but the main goal is to make physical seizure of my servers fruitless, as exterior intrusion from my WAN is not something disk encryption can help with, anyway.

Is there a way to accomplish this? Does what I'm trying to do make sense?

Improve this question

2 Answers 2

Reset to default
0

There's not much point in using disk encryption if you have a server that sends out the decryption key to anyone who asks for it. You can't do any meaningful authentication of a client that hasn't even booted yet; about the best you could do is check its MAC address, which an attacker could easily spoof.

Improve this answer
1
  • As this is all be in a virtual environment, I would create a completely separate network for key traffic that has no link to the rest of my network. It's still risky, yes, but the main goal is to make physical seizure of my servers fruitless, as exterior intrusion from my WAN is not something disk encryption can help with.
    – MrDrMcCoy
    Commented May 27, 2014 at 4:10
0

From grub? Yes, this is possible. In theory. But it hasn't been done yet. You'll have to write (or, rather, modify) a GRUB module or two to get it up.

If you don't care if the code to download it is in the initrd instead, then it's actually pretty straightforward - "keyscript" is a script that returns the key. See "man crypttab". It will be included in the initramfs automatically, but you'll have to write a "initramfs-tools" "hook" script to include any binaries that you need to call at boot time. (I.E. Your TFTP program)

Sounds like a worthwhile thing to do though. I've been thinking "small battery-powered computer with the key in RAM, programmed to delete said key when the network cable is unplugged." That way, if somebody does steal your computers, they get no data. It wouldn't be as secure as typing in the passphrase each time into each computer, but it's more secure than a USB key you have with you (that could be stolen) and MUCH easier to use.

If you also make sure that the only other key is known to somebody in a different jurisdiction, then you're somewhat cop-proof too. They can take the computers, but they don't have any way to decrypt then, nor can they subpoena anyone who does. (Like you, for instance.)

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .