From owner-freebsd-hackers@FreeBSD.ORG  Wed Feb 20 07:47:02 2013
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 6EE2B55F
 for <hackers@freebsd.org>; Wed, 20 Feb 2013 07:47:02 +0000 (UTC)
 (envelope-from freebsd@psconsult.nl)
Received: from mx1.psconsult.nl (unknown [IPv6:2001:7b8:30f:e0::5059:ee8a])
 by mx1.freebsd.org (Postfix) with ESMTP id 00A5D894
 for <hackers@freebsd.org>; Wed, 20 Feb 2013 07:47:01 +0000 (UTC)
Received: from mx1.psconsult.nl (mx1.hvnu.psconsult.nl [46.44.189.154])
 by mx1.psconsult.nl (8.14.5/8.14.4) with ESMTP id r1K7ktV5060121
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Wed, 20 Feb 2013 08:47:00 +0100 (CET)
 (envelope-from freebsd@psconsult.nl)
Received: (from paul@localhost)
 by mx1.psconsult.nl (8.14.5/8.14.4/Submit) id r1K7kthX060120;
 Wed, 20 Feb 2013 08:46:55 +0100 (CET)
 (envelope-from freebsd@psconsult.nl)
X-Authentication-Warning: mx1.psconsult.nl: paul set sender to
 freebsd@psconsult.nl using -f
Date: Wed, 20 Feb 2013 08:46:55 +0100
From: Paul Schenkeveld <freebsd@psconsult.nl>
To: Jason Hellenthal <jhellenthal@DataIX.net>
Subject: Re: Chicken and egg, encrypted root FS on remote server
Message-ID: <20130220074655.GA59952@psconsult.nl>
References: <20130220065810.GA25027@psconsult.nl>
 <C69A03DB-D861-4400-96B4-2DF5925CB4FC@DataIX.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <C69A03DB-D861-4400-96B4-2DF5925CB4FC@DataIX.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: hackers@freebsd.org
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2013 07:47:02 -0000

On Wed, Feb 20, 2013 at 02:42:57AM -0500, Jason Hellenthal wrote:
> Just a thought with no working example but…
> 
> bootp / tftp - from a remote secured management frame to TX a key filesytem to unlock your rootfs.
> 
> Could be something as simple as a remote wireless adhoc server with a 64GB thumbdrive to hold your data or just enough to tell the system where to get it.
> 
> Considering a key can be any length string of a sort just to say but... Serve the rootfs key directly from a TXT out of a secured DNS zone only visible to so said machines. 

Thank you but manual entry of the passprase is a prerequisite here so
serving the key automatically is not an option.

With kind regards,

Paul Schenkeveld