you are not alone spagbro

#724
Raw
Author
winny
Created
April 4, 2023, 6:12 p.m.
Expires
Never
Size
4.1 KB
Hits
55
Syntax
None
Private
✓ Yes 
11:29:13 	<tobias>	hi
11:29:51 	<tobias>	ist there a way to add remote unlocking of full disk encryption to an alpine linux initramfs?
11:30:32 	<winny>	o/
11:32:28 	<tobias>	https://gitlab.alpinelinux.org/alpine/mkinitfs/-/merge_requests/86
11:32:41 	<tobias>	i found this, but it seems to be stuck?
11:32:47 	<tobias>	anything i can do to make it happen?
11:35:10 	<winny>	If dracut is in testing that may be a better solution given it's maturity 
11:35:45 	<winny>	Anyone actually use fde with initramfs ssh in this chat?
12:04:08 	<minimal>	tobias: that is/was my MR, unfortunately it went nowhere :-(
12:05:46 	<minimal>	basically as there is no testing framework in place for mkinitfs then major changes are unlikely to be accepted as there's a risk they could break stuff and not be noticed
12:06:37 	<minimal>	you could try either booster or dracut - booster I believe supports remote encryption unlocking but that is via clevis/tang, not SSH
12:06:42 	<tobias>	thats... annoying :/
12:07:12 	<minimal>	booster is in community, so it is available for v3.17 as well as Edge
12:08:09 	<minimal>	dracut is in community in Edge, so it will be in v3.18 when it comes out but it's not in v3.17
12:09:31 	<tobias>	so i guess i'll have to wait until v3.18 then and unlock via VNC in the meantime
12:09:32 	<minimal>	also note that my MR was *not* for "FDE" - with FDE then Grub prompts for a passphrase *before* the initramfs is loaded and run, so there's no way to remote unlock LUKS for Grub
12:09:56 	<tobias>	yeah, i have /boot unencrypted
12:10:16 	<minimal>	my MR was for remote unlocking by the initramfs, so yes /boot has to be unencrypted
12:10:26 	<tobias>	with the intention to have the rest unlockable via initramfs/ssh
12:10:34 	<minimal>	the same applies for clevis/tang as used by booster
12:10:54 	<minimal>	so you don't have FDE then ;-)
12:11:38 	<minimal>	winny: yes I used remote LUKS unlock as I wrote (and tested) that MR
12:12:04 	<tobias>	unlocking from grub isn't either, if you want to be strict. the bootloader bits are unencrypted too. :)
12:13:13 	<minimal>	true, unless you also use OPAL encrypted disks, but then you'd never be able to remote unlock that unless you had a IPMI that supported that lol
12:13:37 	<minimal>	also you ca never have FDE with UEFI machines as the ESP partition must be unencrypted
12:15:14 	<tobias>	lets call it "encrypted rootfs" then? :D
12:17:15 	<minimal>	I haven't kept track of the state of the dracut package for Alpine
12:17:42 	<minimal>	so it may be possible to add a hook for remote unlock, but you'd still need to modify the dropbear package also
12:18:23 	<--	chomwitt (~chomwitt@ppp-94-69-24-223.home.otenet.gr) has quit (Ping timeout: 268 seconds)
12:19:55 	<tobias>	whats the modification that would need to be done to dropbear?
12:20:55 	<--	imega (~coma@89.206.80.49) has quit (Ping timeout: 276 seconds)
12:22:16 	<minimal>	you'll find it hear: https://github.com/dermotbradley/alpine-remote-LUKS-unlock
12:22:39 	<minimal>	I never raised a MR for it as there was no point without the other MR being accepted
12:24:26 	<minimal>	but I wouldn't use it (even with dracut) unless the change was merged into the dropbear package, otherwise package upgrades would "lose" any locally applied changes
12:25:29 	<tobias>	yeah, i could imagine that
12:26:18 	<tobias>	i guess the noVNC from my provider has to do the job then until thats all sorted out :)
12:27:09 	-->	jaykelly450 (~jaykelly4@2601:c0:c780:80e0:73:d866:2e6a:4a20) has joined #alpine-linux
12:34:47 	<minimal>	tobias: ah, they're providing KVM or IPMI access to the console?
12:39:25 	<tobias>	its a VPS
12:41:16 	<tobias>	probably not perfect security either, but better than nothing
12:43:36 	<tobias>	have been hosting stuff on physical hardware for a long time, but i need to move to cloud now since that hardware tends to break at the worst possible time
12:43:57 	<tobias>	e.g. while i'm travelling abroad. :D
12:52:50 	<tobias>	i have actually been using raspberry pis with usb2serial adapters for such tasks
12:53:54 	<tobias>	unexpectedly reliable these little things, not a single one of them broke so far. :)