I want to use a self-encrypted boot drive and install mandos to retrieve the key from another machine on the LAN to automatically unlock the drive at boot, as well as dropbear to allow me to remotely enter the password via SSH if the mandos server is down.
This page explains how to use sedutil to lock the drive with a password. It involves writing a Pre-Boot Authentication linux image to the start of the drive, which prompts for the password and then unlocks the drive and reboots into the OS, but I don't think that would be compatible with what I want to do, as there's no initramfs in the PBA image which mandos and dropbear could modify to add the automatic/remote unlocking.
https://sedutil.com/
This page describes an alternative method, where only the root partition is encrypted and the unencrypted boot partition uses a mkinitcpio hook to unlock the drive.
https://wiki.archlinux.org/title/Self-e ... tcpio_hook
However I don't know if using that hook would work together with mandos and dropbear, or if it will only allow for manual local entry of the password.
Here it explains that instead of using sedutil, cryptsetup can be used with the --hw-opal-only switch to lock a partition. Would doing that for the root partition, with a separate unencrypted boot partition, mean that the normal Linux password entry process is used, such that installing mandos and dropbear to modify the initramfs would result in the automatic and remote unlock methods working?
https://wiki.archlinux.org/title/Self-e ... cryptsetup
This page explains how to use sedutil to lock the drive with a password. It involves writing a Pre-Boot Authentication linux image to the start of the drive, which prompts for the password and then unlocks the drive and reboots into the OS, but I don't think that would be compatible with what I want to do, as there's no initramfs in the PBA image which mandos and dropbear could modify to add the automatic/remote unlocking.
https://sedutil.com/
This page describes an alternative method, where only the root partition is encrypted and the unencrypted boot partition uses a mkinitcpio hook to unlock the drive.
https://wiki.archlinux.org/title/Self-e ... tcpio_hook
However I don't know if using that hook would work together with mandos and dropbear, or if it will only allow for manual local entry of the password.
Here it explains that instead of using sedutil, cryptsetup can be used with the --hw-opal-only switch to lock a partition. Would doing that for the root partition, with a separate unencrypted boot partition, mean that the normal Linux password entry process is used, such that installing mandos and dropbear to modify the initramfs would result in the automatic and remote unlock methods working?
https://wiki.archlinux.org/title/Self-e ... cryptsetup
Statistics: Posted by dmdb71 — 2024-10-08 00:56 — Replies 0 — Views 8