Date: Wed, 20 Feb 2013 09:19:30 +0100 From: Paul Schenkeveld <freebsd@psconsult.nl> To: freebsd-hackers@freebsd.org, hackers@freebsd.org Subject: Re: Chicken and egg, encrypted root FS on remote server Message-ID: <20130220081930.GB59952@psconsult.nl> In-Reply-To: <20130220065810.GA25027@psconsult.nl> References: <20130220065810.GA25027@psconsult.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 20, 2013 at 07:58:10AM +0100, Paul Schenkeveld wrote: > Hi, > > I've been trying to find a solution for this chicken and egg problem, > how to have an encrypted root filesystem on a remote server. > > Geli can ask for a root password at the console to unlock the root fs > but that of course won't work for a remote server. > > Ideally I'd like the server to start, do minimal network config, run > a minimal ssh client (dropbear?) and wait for someone to log in, > provide the passphrase to unlock the root filesystem and then mount > the root filesystem and do a normal startup. > > I read about a pivotroot call in other OS-es, that would allow for a > very small unencrypted root filesystem to be mounted temporarily until > the passphrase has been entered and then swap that for a real, encrypted > root filesystem. But AFAIK we don't have pivotroot. > > The problem could also be solved if the real root fs could be union > mounted over the small unencrypted one but unionfs won't mount over /. Why is it that I cannot union mount anything over /, is there a technical reason for that or is it because of security concerns?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130220081930.GB59952>