
Unlocking an encrypted rootfs over ssh-server in initramfs - miduil
https://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/
======
miduil
Well, yes - if you are using an encrypted rootfs on a server, the disk is
permanently in an unlocked state - so it doesn't completely matter if
encrypted or not. But don't forget, in some cases you don't want to have
unencrypted data stored on a hard disk or a flash medium either. I guess
another solution would be to have only parts of the system/data encrypted, but
I think this way is more convenient.

Here is another article, describing a similar setup [0].

And here is a similar question on stackoverflow with plenty of answers [1] and
some other tool mentioned.

[0]: [http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-
root...](http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-
partition-remotely-via-ssh/) [1]:
[https://unix.stackexchange.com/questions/5017/ssh-to-
decrypt...](https://unix.stackexchange.com/questions/5017/ssh-to-decrypt-
encrypted-lvm-during-headless-server-boot)

~~~
jerguismi
> Well, yes - if you are using an encrypted rootfs on a server, the disk is
> permanently in an unlocked state - so it doesn't completely matter if
> encrypted or not.

It is very irresponsible to make statements like that. It is very common to
have an attack, where the attacker gains access via social engineering to a
server, and manages to restart the server and gain access to a rescue system.

And even then, nowadays renting servers is very common - how do you know you
can trust everyone in the hosting company? FDE should be the default thing to
do, especially for servers. I don't really understand why they aren't a
standard practice already.

~~~
tarnacious_
> It is very irresponsible to make statements like that.

I don't think so. It is irresponsible to suggest that you can secure a server
you don't physically control. Full disk encryption doesn't protect your disk
if someone can take a memory dump of the machine. Using sshd in an initramfs
to receive the passphrase for an encrypted rootfs doesn't help if someone can
modify the initramfs and wait for a the passphrase.

Encrypting your volumes does provide some security, but having to SSH into an
initramfs to unlock the root partition has its own problems.

~~~
jerguismi
Nothing is ever 100% safe and everything has its own problems. Initramfs-based
full disk encryption is easy and effortless to do, and the value is most
definitely greater than the effort required. I know multiple of cases where a
simple FDE would have helped to greatly reduce the harm done.

You can host your own servers, but even that is not 100% safe. Someone can
break to your hosting space and inspect the servers. And that of course
requires quite a deal of effort.

------
theandrewbailey
I've been toying with this idea for personal experimentation. My idea for an
unattended unlock is to involve some sub-Rasberry Pi sized machine to be
somewhere on the LAN that stores the key (or part thereof). That small machine
would be on local WiFi and physically hidden, like under a sink.

------
zokier
I think the author dismisses evil maid style attacks too lightly. It is true
that its kinda difficult to protect against such attacks, but Secure Boot
should raise the bar slightly.

~~~
eeZi
Slightly? Considerably.

