A keyscript and initramfs-tools helpers to allow a machine with a LUKS-encrypted boot drive to passwordlessly boot by fetching a remote key over HTTPS.
It is intended to protect against information disclosure in the event of accidental loss or untargeted theft - the key can be removed from the webserver as soon as the loss is noticed. It's not at all secure if you're trying to protect yourself against someone deliberately trying to obtain your information.
- Falls back to asking for a passphrase if the remote key can't be retrieved
- Compatible with the Plymouth splash screen
- Create keyfile.
dd if=/dev/random bs=1c count=256 | base64 > unencrypted_keyfile
cat unencrypted_keyfile | openssl enc -base64 -aes-256-cbc -md sha256 -e -salt -out encrypted_keyfile -k somepassphrase
rm unencrypted_keyfile
- Make
encrypted_keyfileavailable somewhere on a webserver. - Install and edit
/lib/cryptsetup/scripts/wget_or_ask. - Add keyfile to LUKS slots.
busybox sh /lib/cryptsetup/scripts/wget_or_ask > keyfile
sudo cryptsetup luksAddKey /dev/someDevice keyfile
rm keyfile
sudo chmod o-rx /lib/cryptsetup/scripts/wget_or_ask
- Install
/etc/initramfs-tools/… - Update the
/dev/someDeviceentry in/etc/crypttabwith the optionkeyscript=wget_or_ask. sudo update-initramfs -u
Mandos provides a system with better client authentication and automated detection of a client going offline for an unexpected period of time.
netkeyscript uses link-local IPv6 UDP packets with an unencrypted passphrase.
There are a number of variations on using dropbear or similar to allow remote, but not unattended, restarts with an encrypted boot.
This collection of scripts is licensed under the GNU GPLv3.