From owner-freebsd-hackers@FreeBSD.ORG Wed Feb 20 08:55:33 2013 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 012F0A94 for ; Wed, 20 Feb 2013 08:55:33 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-we0-x231.google.com (mail-we0-x231.google.com [IPv6:2a00:1450:400c:c03::231]) by mx1.freebsd.org (Postfix) with ESMTP id 6FE4BD04 for ; Wed, 20 Feb 2013 08:55:32 +0000 (UTC) Received: by mail-we0-f177.google.com with SMTP id d7so6312521wer.36 for ; Wed, 20 Feb 2013 00:55:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to:x-gm-message-state; bh=bQRjlJOiSZYYg0yr+LiR9w9INYdCw8dD0WwKgPlNyXI=; b=OzMHqpCqYSvunqH6TsTpuYUoPzTI1del0dWWZgZO+McSS5NHA07fMG529GXJ6w3Myt hZexzKADOD+bcPFmM0zi0vzkUw44ek8x+dS0DTNYRIighXcgZKjxjlwUhMkPgCwXs7eS g8MOASyoEr2/itBqyi5SJ204IZcwRi4tX0OR40JbgunLcdCiEsQjvA7o59djTLYmnYwO XfNnoEvOs1TczOJMuTnmAWPQ+E0Ugn08dvH26bJsGp1veWTVqVfk0UyF2GIeNMfqfshk yvdMKtR7zdgTUp2K+m9sHgWQPbhJbx/zNrvAFr4xWNtaoTbz3Tx1z4awgg7BU2HkDJQl xAWA== X-Received: by 10.180.24.229 with SMTP id x5mr30871699wif.17.1361350066592; Wed, 20 Feb 2013 00:47:46 -0800 (PST) Received: from ?IPv6:2a01:e35:8a58:2600:9c:7ea9:f5cd:dd15? ([2a01:e35:8a58:2600:9c:7ea9:f5cd:dd15]) by mx.google.com with ESMTPS id ay10sm7014939wib.3.2013.02.20.00.47.44 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 20 Feb 2013 00:47:45 -0800 (PST) References: <20130220065810.GA25027@psconsult.nl> <20130220074655.GA59952@psconsult.nl> Mime-Version: 1.0 (1.0) In-Reply-To: <20130220074655.GA59952@psconsult.nl> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-Id: X-Mailer: iPhone Mail (10B144) From: Damien Fleuriot Subject: Re: Chicken and egg, encrypted root FS on remote server Date: Wed, 20 Feb 2013 09:47:36 +0100 To: Paul Schenkeveld X-Gm-Message-State: ALoCoQkGqdke/dEApTwAZhK13qQIkxd0IrEQz0kNur1S+8bI85tkwZwhjNm2zhyX1IRBuwqqOpVK Cc: "hackers@freebsd.org" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2013 08:55:33 -0000 On 20 Feb 2013, at 08:46, Paul Schenkeveld wrote: > On Wed, Feb 20, 2013 at 02:42:57AM -0500, Jason Hellenthal wrote: >> Just a thought with no working example but=E2=80=A6 >>=20 >> bootp / tftp - from a remote secured management frame to TX a key filesyt= em to unlock your rootfs. >>=20 >> Could be something as simple as a remote wireless adhoc server with a 64G= B thumbdrive to hold your data or just enough to tell the system where to ge= t it. >>=20 >> Considering a key can be any length string of a sort just to say but... S= erve the rootfs key directly from a TXT out of a secured DNS zone only visib= le to so said machines. >=20 > Thank you but manual entry of the passprase is a prerequisite here so > serving the key automatically is not an option. >=20 > With kind regards, >=20 > Paul Schenkeveld >=20 What about getting a remote console like HP's ILO or Dell's DRAC ? You get to login remotely, you can use some degree of access control... you c= an even remote boot.=