Linux

58970 readers

1053 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

LUKS decrypt at boot over SSH? (lemmy.world)

submitted 2 days ago by clif@lemmy.world to c/linux@lemmy.ml

44 comments fedilink hide all child comments

I've done a little research but curious about first hand experience.

I've got a little home server that is full disk encrypted with LUKS (+LVM, of course). It's headless (no display, no keyboard, etc) and just lives attached to the back of my desk, out of the way.

If it gets rebooted due to a power outage, I can plug in a keyboard, wait long enough for it to get to the LUKS password prompt, enter password, hit enter, and assume it worked if I see the disk activity light blinking. Worst case scenario, I can move it to a monitor and plug it in to get display too.

Because lazy, I'd prefer to be able to enter the decrypt password remotely. "Dropbear" seems to be a common suggestion but I haven't tried it yet.

So, asking for your experience or recommendations.

I'll start. Recommendation #1 - get a UPS : D ... But besides that.

Addendum: either way, I currently need to be home to do this because I access it remotely via tailscale along with my desktop. Since both are full disk encrypted, neither will boot to the point of starting tailscale without intervention. But, I might repurpose a nonencrypted RPi with SSHd to act as a "auto restarts with tailscale so I can SSH to it, then SSH to server to enter the LUKS password" jump point.

you are viewing a single comment's thread
view the rest of the comments

[–] paequ2@lemmy.today 4 points 2 days ago* (last edited 2 days ago) (1 children)

Same boat. I'm currently testing some unlock stuff out. I just got USB unlocks to work for Debian by following this: https://tqdev.com/2022-luks-with-usb-unlock

I load a USB with a keyfile, then read the keyfile during boot. If I don't have the USB plugged in, I fallback to entering a passphrase. I have multiple LUKS encrypted disks and I don't want to type out a long passphrase a bunch of times.

I briefly encountered dropbear during my research... but ended up following the USB path because it kinda seemed a little easier to setup. 🤷

Anyone have any thoughts on USB vs dropbear unlocks?

[–] clif@lemmy.world 1 points 1 day ago (1 children)

I'd imagine that if you have physical access and don't mind plugging in a USB then that's the easier route.

My personal goal is to be able to unlock it remotely in two main scenarios :

I'm lazy and don't want to have to awkwardly fumble at plugging in something. So, SSH to it from the same room and unlock it from my desktop.
Server got rebooted while I'm away from home but I would really like it to be up and running again for something I need but I don't have physical access at the time.

Both of those situations lean towards a remote unlock with no USB. The first one is absolutely doable because I have local access and could plug a device in, it's just awkward. On the second, physical access is impossible so it must be done remotely.

I mentioned it in another comment but the remote unlock while away from home presents extra challenges for me because I access my server externally via Tailscale. Since Tailscale isn't available at boot (pre-decrypt), then I'll have to tailnet+ssh to another machine on the LAN (that doesn't require a boot password/unlock) and then SSH from that machine to the server to enter the LUKS password to allow boot to continue. Sounds feasible, though perhaps a little clunky. That's my current plan and hoping to try it out this weekend if time permits.

[–] paequ2@lemmy.today 2 points 1 day ago (1 children)

Ah, cool cool. Makes sense. Are you unlocking 1 disk or many disks with the dropbear setup?

[–] clif@lemmy.world 1 points 1 day ago (1 children)

Just one... For now :)

It's a Lenovo Tiny refurb and came with a 1TB NVMe which is plenty for playing around but I'll have to expand if I move my Jellyfin instance to it.

[–] paequ2@lemmy.today 2 points 1 day ago

Ah, nice ok. Your post got me to look at dropbear a little more closely, but since I got a bunch of disks, I think USB unlock makes more sense in my setup. I'm using a keyfile on the USB to unlock a bunch of disks on boot. But if I only had one, then dropbear would be more doable for me.

Neat! Interesting post!