Remote solution to decrypt disk at boot - eviltoast

Hi there ! I have a little box at home, hosting some little services for personal use under freebsd with a full disk encryption (geli). I’m never at home and long power outage often occurs so I always need to come back home to type my passphrase to decrypt the disk.

I was searching this week a solution to do it remotely and found the “poor-guy-kvm” solutions turning a Raspberry like board (beaglebone black in my case) in a hid keyboard. It works fine once the computer has booted but once reboot when the passphrase is asked before it loads the loader menu, nothing. When I plug an ordinary USB keyboard I can type my passphrase so USB module is loaded.

Am I missing something ? Am I trying something impossible ?

(I could’ve asked on freebsd forum but… Have to suscribe, presentation, etc… Long journey)

  • raldone01@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    1 year ago

    Yes. That is possible. However if the hardware configuration/software configuration changes the TPM should trip and prevent decryption.

    The attackers would have to break you ssh/terminal/lock screen/other insecure software. However code injection should be impossible because you used custom secure boot keys and ideally a signed unified kernel image. (Can’t even change kernel params without tripping TPM.)

    You would not be safe if they did a bus listening attack or if your shell pwd is not safe. If that is your threat vector this may not be a good option for you.