 |
Title: Automatic prompt to unlock remote encrypted partitions |
|
Author: Solène |
|
Date: 20 November 2022 |
|
Tags: openbsd security networking ssh nocloud |
|
Description: In this article, you will learn how to make OpenBSD |
|
systems to prompt a passphrase on your local workstation in order to |
|
unlock an encrypted partition. |
|
|
|
# Introduction |
|
|
|
I have remote systems that only have /home as encrypted partitions, the |
|
reason is it ease a lot of remote management without a serial access, |
|
it's not ideal if you have critical files but in my use case, it's good |
|
enough. |
|
|
|
In this blog post, I'll explain how to get the remote system to prompt |
|
you the unlocking passphrase automatically when it boots. I'm using |
|
OpenBSD in my example, but you can achieve the same with Linux and |
|
cryptsetup (LUKS), if you want to push the idea on Linux, you could do |
|
this from the initramfs to unlock your root partition. |
|
|
|
# Requirement |
|
|
|
* OpenBSD |
|
* a non-root encrypted partition |
|
* a workstation with ssh that is reachable by the remote server (VPN, |
|
NAT etc…) |
|
|
|
# Setup |
|
|
|
1. install the package `zenity` on your workstation |
|
2. on the remote system generate ssh-keys without a passphrase on your |
|
root account using `ssh-keygen` |
|
3. copy the content of `/root/.ssh/id_rsa.pub` for the next step (or |
|
the public key file if you chose a different key algorithm) |
|
4. edit `~/.ssh/authorized_keys` on your workstation |
|
5. create a new line with: `restrict,command="/usr/local/bin/zenity |
|
--forms --text='Unlock t400 /home' --add-password='passphrase' |
|
--display=:0" $THE_PUBLIC_KEY_HERE` |
|
|
|
The new line allows the ssh key to connect to our local user, but it |
|
gets restricted to a single command: zenity, which is a GUI dialog |
|
program used to generate forms/dialogs in X sessions. |
|
|
|
In the example, this creates a simple form in an X window with a label |
|
"Unlock t400 /home" and add a field password hiding typed text, and |
|
showing it on display :0 (the default one). Upon connection from the |
|
remote server, the form is displayed, you can type in and validate, |
|
then the content is passed to stdout on the remote server, to the |
|
command bioctl which unlocks the disk. |
|
|
|
On the server, creates the file `/etc/rc.local` with the following |
|
content (please adapt to your system): |
|
|
|
```shell script |
|
#!/bin/sh |
|
|
|
ssh [email protected] | bioctl -s -c C -l 1a52f9ec20246135.k softraid0 |
|
if [ $? -eq 0 ] |
|
then |
|
mount /home |
|
fi |
|
``` |
|
|
|
In this script, `[email protected]` is my user@laptop-address, and |
|
`1a52f9ec20246135.k` is my encrypted partition. The file |
|
`/etc/rc.local` is run at boot after most of the services, including |
|
networking. |
|
|
|
You should get a display like this when the system boots: |
|
|
 |
a GUI window asking for a passphrase to unlock the /home partition of the compu… |
|
|
|
# Conclusion |
|
|
|
With this simple setup, I can reboot my remote systems and wait for the |
|
passphrase to be asked quite reliably. Because of ssh, I can |
|
authenticate which system is asking for a passphrase, and it's sent |
|
encrypted over the network. |
|
|
|
It's possible to get more in depth in this idea by using a local |
|
password database to automatically pick the passphrase, but you lose |
|
some kind of manual control, if someone steals a machine you may not |
|
want to unlock it after all ;) It would also be possible to prompt a |
|
Yes/No dialog before piping the passphrase from your computer, do what |
|
feels correct for you. |
