Remote solution to decrypt disk at boot - eviltoast

Hi there ! I have a little box at home, hosting some little services for personal use under freebsd with a full disk encryption (geli). I’m never at home and long power outage often occurs so I always need to come back home to type my passphrase to decrypt the disk.

I was searching this week a solution to do it remotely and found the “poor-guy-kvm” solutions turning a Raspberry like board (beaglebone black in my case) in a hid keyboard. It works fine once the computer has booted but once reboot when the passphrase is asked before it loads the loader menu, nothing. When I plug an ordinary USB keyboard I can type my passphrase so USB module is loaded.

Am I missing something ? Am I trying something impossible ?

(I could’ve asked on freebsd forum but… Have to suscribe, presentation, etc… Long journey)

  • rentar42@kbin.social
    link
    fedilink
    arrow-up
    7
    ·
    11 months ago

    I’m using encrypted ZFS as the root partition on my server and I’ve (mostly) followed the instructions in point #15 from here: https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Bookworm%20Root%20on%20ZFS.html

    This starts dropbear as an SSH server that only has a single task: when someone logs in to it they get asked for the decryption key of the root partition.

    I suspect that this could be adopted to whatever encryption mechanism you use.

    I didn’t follow it exactly, because I didn’t want the “real” SSH host keys of the host to be accessible unencrypted in the initrd, so the “locked host” has a different SSH host key than when it is fully booted, which is preferred for me.

    • Jean-Mich Much@jlai.luOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      11 months ago

      I’ve read that freebsd 14 proposed zfs native encryption, so it could worked. Maybe it’s time to upgrade, I will see. Thanks !