From owner-freebsd-hackers@FreeBSD.ORG Wed Feb 20 07:20:23 2013 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B2F02BEB for ; Wed, 20 Feb 2013 07:20:23 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) by mx1.freebsd.org (Postfix) with ESMTP id A0CE0743 for ; Wed, 20 Feb 2013 07:20:23 +0000 (UTC) Received: from Xins-MacBook-Pro-2.local (c-67-188-85-47.hsd1.ca.comcast.net [67.188.85.47]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 0A1AB24CA4; Tue, 19 Feb 2013 23:20:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1361344823; bh=fNoZykkzuybG9vaLkoxTBUE3mAXlgg2sDndIodSkSs8=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=xRaAkNEo22noq0UM6OsQ5pKF0EJUCTBoR1gJlsHqqy2IaB43GVvVN84BKp5VktK2N Ch8rIscqIa48ydiCB8mj+XYVsja8qo0ffsF7FRwPwM7ud1VRNxaQq0oJWvPXIYdKJY B6w53YUmvRs73l1mvM6b4knmPHyIk/AiVkvY1olc= Message-ID: <51247936.8050801@delphij.net> Date: Tue, 19 Feb 2013 23:20:22 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Paul Schenkeveld Subject: Re: Chicken and egg, encrypted root FS on remote server References: <20130220065810.GA25027@psconsult.nl> In-Reply-To: <20130220065810.GA25027@psconsult.nl> X-Enigmail-Version: 1.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: d@delphij.net List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2013 07:20:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2/19/13 10:58 PM, Paul Schenkeveld wrote: > Ideally I'd like the server to start, do minimal network config, > run a minimal ssh client (dropbear?) and wait for someone to log > in, provide the passphrase to unlock the root filesystem and then > mount the root filesystem and do a normal startup. At work I have something like this, basically the setup have a small / that is not encrypted, and I have a script called 'geli0' that starts network, sshd and waits for the GELI provider be unlocked or someone hit enter on console (and then unlock from console, of course). I'm not sure if this is even near your requirement nor it's intended for use by general public. Be sure to change ada0s1d to match your system by the way. ==== #!/bin/sh # # PROVIDE: geli0 # BEFORE: disks # REQUIRE: initrandom # KEYWORD: nojail . /etc/rc.subr name="geli0" start_cmd="geli0_start" stop_cmd=":" required_modules="geom_eli:g_eli" geli0_start() { fsck -py / || fsck -fy / mount -uw / /etc/rc.d/hostid start /etc/rc.d/hostname start /etc/rc.d/devd start /etc/rc.d/netif start /etc/rc.d/routing start /etc/rc.d/sshd start echo -n "Waiting ada0s1d to be available, press enter to continue..." while true; do if [ -e /dev/ada0s1d.eli ]; then break fi read -t 5 dummy && break done /etc/rc.d/sshd stop /etc/rc.d/routing stop /etc/rc.d/netif stop /etc/rc.d/devd stop } load_rc_config $name run_rc_command "$1" ===== Cheers, -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJRJHk2AAoJEG80Jeu8UPuz1mgH/Rjsk0NgHn6r/mNB+G00OizR BOprd4wuctvNn/zr/syjM/UqixWI1WIXBDQAICZWTml938i5Mg65bi+qdszmRwbS zzlSRUJ/N6oYQvUPnuCxjtIU3gvCKplt0bBz/RxRVNSzqMEgOTuta9Kd0IVU2MZW zVZ0rmClScTA2zgGGFmQCZc1ot5CZfa66psSkdQIwLOvxp2o1ZHzMh5+owG8R0ys 8DE+aQ4d57Vt/JoRQW2W1OIfestOmf1uqL7HsnELL1nF0BTtG8GThfy+RzGAA3mm vUKXFwiLwon+gJath2eIT2s/tCz5rKPisiXeBqAYUSWUNTqTWf2CXmfMXeL4+TM= =gcTR -----END PGP SIGNATURE-----