Unlock GELI partitions at boot through SSH

The next script is even more atrocious because it was directly modified by me...

FIX-ME
Code: 
# template on how to get everyting clean after a disk failuer /change

echo "Please don't run without checking contents first" >&2
exit 1

# Which disk?
geom0=ada0
zgeom=zroot0

good=ada1

# applicable lines from CRYPT
gpart create -s gpt $geom0
gpart add -b 64 -s 512k  -t freebsd-boot       $geom0
gpart add -l boot0 -s 1G -t freebsd-ufs  -a 4k $geom0
gpart add -l swap0 -s 2G -t freebsd-swap -a 4k $geom0
gpart add -l zroot0      -t freebsd-zfs  -a 4k $geom0

#alternatively, copy from good disk
# gpart backup $good | gpart restore $geom0

gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 $geom0 

# make gmirrors healthy again
gmirror forget swap
gmirror insert swap ${geom0}p3

gmirror forget boot
gmirror insert boot ${geom0}p2

# needs crypto passphrase
geli init -s 4096 /dev/gpt/$zgeom
geli attach /dev/gpt/$zgeom

zpool replace tank /dev/gpt/${zgeom}.eli

# check status
zpool status -x tank
gmirror list boot |grep ^State
gmirror list swap |grep ^State
 
Unmodified scripts:

DESTROY
Code: 
# Used during testing to undo the setup
umount /mnt/xboot
zpool destroy tank
geli detach gpt/zroot

SSH
Code: 
# Use this if you want to SSH to the box during setup
mkdir /tmp/etc
mdmfs -s32m -S md /tmp/etc
mount -t unionfs /tmp/etc /etc
passwd root
#dhclient ...
sed -i '' -e 's/^#\(PermitRootLogin\).*/\1 yes/' /etc/ssh/sshd_config
service sshd onestart
 
Just to avoid issues, the scripts above honor the original public domain license:

Code: 
This is free and unencumbered software released into the public domain.

Anyone is free to copy, modify, publish, use, compile, sell, or
distribute this software, either in source code form or as a compiled
binary, for any purpose, commercial or non-commercial, and by any
means.

In jurisdictions that recognize copyright laws, the author or authors
of this software dedicate any and all copyright interest in the
software to the public domain. We make this dedication for the benefit
of the public at large and to the detriment of our heirs and
successors. We intend this dedication to be an overt act of
relinquishment in perpetuity of all present and future rights to this
software under copyright law.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.

For more information, please refer to <http://unlicense.org>

Sources:​

github.com

GitHub - Sec42/freebsd-remote-crypto: Scripts to setup a remote crypted freebsd

Scripts to setup a remote crypted freebsd. Contribute to Sec42/freebsd-remote-crypto development by creating an account on GitHub.
github.com github.com
github.com

GitHub - oxfox22/freebsd-remote-crypto-single-drive: Scripts to setup a remote crypted freebsd - runnig on one drive (no mirrored drives!)

Scripts to setup a remote crypted freebsd - runnig on one drive (no mirrored drives!) - oxfox22/freebsd-remote-crypto-single-drive
github.com github.com
 
The computer should arrive tomorrow... I really hope (better dreaming) the scripts work out-of-the-box...
It would be a shame fall-back on Linux just because it is easier... ☹️
 
freezr said:
The computer should arrive tomorrow... I really hope (better dreaming) the scripts work out-of-the-box...
It would be a shame fall-back on Linux just because it is easier... ☹️
Click to expand...
Actually those scripts are not absolutely necessary.

Basically they install two systems side by side on one or multiple disk, one unencrypted, the other encrypted. This can also be done with the FreeBSD installer by running it twice on the booted installer system,

First install encrypted "Auto (ZFS) Guided Root-on-ZFS", create a large swap in size of "swap + unencrypted system", let's say 8G swap, 2G for the unencrypted system, 10G in total.

After the encrypted Root-on-ZFS installation has finished, exit and restart the bsdinstall(8) system installer, walk through the menus keymap, hostname, at the "Partitioning" menu enter "Manual Disk Setup", delete swap, create first a swap, then the unencrypted-system freebsd-ufs partition (set Typ, Size, Mountpoint, Label), "Finish" partition editor, complete the installation.

Exit the FreeBSD installer, remove BOOT and GELIBOOT flags from the encrypted Root-on-ZFS provider (geli(8) configure -BG <provider>).

The unencrypted UFS system, running the stock sshd, can be accessed now by ssh clients without the need of installing security/dropbear. On the positive side, with this method, the unencrypted system can be easily updated/upgraded with system tools without relying on custom scripts.

Note: Alternatively, the unencrypted system can be installed on a USB stick instead. The file system can be ZFS instead of UFS, however, this requires additional steps compared to UFS when installed unencrypted and encrypted systems on one disk.
 
Last edited:
T-Daemon thank you very much, I tried with the installer but I wasn't able to achieve anything because I really didn't understand the whole point. I was comparing it with Debian, and I was convinced that I was just creating a boot partition with dropbear to unlock the encrypted one.

Now I get it, I have to perform two installations side-by-side however I still need to use Dropbear to unlock the GELI session through SSH...
 
Some updates...

If I leave the freebsd-boot partition from the first (ZFS) installation system is unable to boot; and if I delete and create a new boot partition it doesn't see the GELI one.

However I realized that I don't want to follow this route. I want this computer to be like a black-box, on the other end with two OS, anyone who runs the mini pc can clearly see there is a FreeBSD OS installed on it. Also, especially if I install the OS on the same disk, I have to taking care about two oses to run the same computer.

It would be cool to directly unlock GELI remotely from SSH, unfortunately it is not yet possible, having two system side-by-side looks to me inconvenient and risky. It is very disappointing but it is the reality... 😭
 
Hi guys, I am returning on this topic because I want to switch badly to FreeBSD.

Recently I learned about ramdisk, I wonder if could create a small/tiny ramdisk OS exclusively to be mounted, at boot, in read-mode providing only SSH/Dropbear as active service, login in from another computer and then reboot into the real GELI OS.

Does it make sense?
Is it feasible?
Does it require to be a veteran-pro?

Thanks... 🙏
 
freezr said:
Hi guys, I am returning on this topic because I want to switch badly to FreeBSD.

Recently I learned about ramdisk, I wonder if could create a small/tiny ramdisk OS exclusively to be mounted, at boot, in read-mode providing only SSH/Dropbear as active service, login in from another computer and then reboot into the real GELI OS.

Does it make sense?
Is it feasible?
Does it require to be a veteran-pro?

Thanks... 🙏
Click to expand...

Yes, you can do that with the re-root capability:

For ssh you generally need /etc/passwd and pam. I don't know whether you can easily avoid that.

The problem of course is that you have an exposed root filesystem, your first one.
 
cracauer@ said:
Yes, you can do that with the re-root capability:

For ssh you generally need /etc/passwd and pam. I don't know whether you can easily avoid that.

The problem of course is that you have an exposed root filesystem, your first one.
Click to expand...

Thank you! 🙏

Besides running in read-mode only, I could disable root and thus using doas when it would be time to remount in RW mode and doing some updates.

This computer is directly connected to another computer through a cross-cable.
 
cracauer@ said:
A serial cable? Then you can unlock your real root filesystem directly via serial console.
Click to expand...

It is an ethernet cross cable.

Basically I don't use my internet office to read my personal email or for personal browsing.
I used to do, but then I learned this practice is tolerate until your employer looks an excuse to kick you out.

I am trying to setup this through a VM, but I can't figure out how to do it based on a fresh installation... 🤯
 
Nice thing about ZFS is that you can do anything you want, even encryption of datasets, changing their size limits, and pool scrubbing - at a later time, and turn things on and off at will. You're not restricted to making those decisions at install time, you're not stuck with whatever you decided on at install time.

Just enable SSH at install time, and be careful with ifconfig eth0 up / ifconfig eth0 down. Once you SSH in as regular user, everything can be easily done once you switch to root account.

Well, if OP wants to disable root on that machine, I'd suggest doing a bit of planning and setup beforehand, like making sure the machine is doing the task it needs to BEFORE root gets disabled. And yeah, leaving a backdoor for yourself, just in case - oh, and having notes on how to make use of it, would be nice.
 
You must log in or register to reply here.
Back
Top