Title: Automatic prompt to unlock remote encrypted partitions | |
Author: Solène | |
Date: 20 November 2022 | |
Tags: openbsd security networking ssh nocloud | |
Description: In this article, you will learn how to make OpenBSD | |
systems to prompt a passphrase on your local workstation in order to | |
unlock an encrypted partition. | |
# Introduction | |
I have remote systems that only have /home as encrypted partitions, the | |
reason is it ease a lot of remote management without a serial access, | |
it's not ideal if you have critical files but in my use case, it's good | |
enough. | |
In this blog post, I'll explain how to get the remote system to prompt | |
you the unlocking passphrase automatically when it boots. I'm using | |
OpenBSD in my example, but you can achieve the same with Linux and | |
cryptsetup (LUKS), if you want to push the idea on Linux, you could do | |
this from the initramfs to unlock your root partition. | |
# Requirement | |
* OpenBSD | |
* a non-root encrypted partition | |
* a workstation with ssh that is reachable by the remote server (VPN, | |
NAT etc…) | |
# Setup | |
1. install the package `zenity` on your workstation | |
2. on the remote system generate ssh-keys without a passphrase on your | |
root account using `ssh-keygen` | |
3. copy the content of `/root/.ssh/id_rsa.pub` for the next step (or | |
the public key file if you chose a different key algorithm) | |
4. edit `~/.ssh/authorized_keys` on your workstation | |
5. create a new line with: `restrict,command="/usr/local/bin/zenity | |
--forms --text='Unlock t400 /home' --add-password='passphrase' | |
--display=:0" $THE_PUBLIC_KEY_HERE` | |
The new line allows the ssh key to connect to our local user, but it | |
gets restricted to a single command: zenity, which is a GUI dialog | |
program used to generate forms/dialogs in X sessions. | |
In the example, this creates a simple form in an X window with a label | |
"Unlock t400 /home" and add a field password hiding typed text, and | |
showing it on display :0 (the default one). Upon connection from the | |
remote server, the form is displayed, you can type in and validate, | |
then the content is passed to stdout on the remote server, to the | |
command bioctl which unlocks the disk. | |
On the server, creates the file `/etc/rc.local` with the following | |
content (please adapt to your system): | |
```shell script | |
#!/bin/sh | |
ssh [email protected] | bioctl -s -c C -l 1a52f9ec20246135.k softraid0 | |
if [ $? -eq 0 ] | |
then | |
mount /home | |
fi | |
``` | |
In this script, `[email protected]` is my user@laptop-address, and | |
`1a52f9ec20246135.k` is my encrypted partition. The file | |
`/etc/rc.local` is run at boot after most of the services, including | |
networking. | |
You should get a display like this when the system boots: | |
a GUI window asking for a passphrase to unlock the /home partition of the compu… | |
# Conclusion | |
With this simple setup, I can reboot my remote systems and wait for the | |
passphrase to be asked quite reliably. Because of ssh, I can | |
authenticate which system is asking for a passphrase, and it's sent | |
encrypted over the network. | |
It's possible to get more in depth in this idea by using a local | |
password database to automatically pick the passphrase, but you lose | |
some kind of manual control, if someone steals a machine you may not | |
want to unlock it after all ;) It would also be possible to prompt a | |
Yes/No dialog before piping the passphrase from your computer, do what | |
feels correct for you. |