Other UnGeli On Stick

fr33bsd

Active Member

Reaction score: 14
Messages: 145

Hi People,

using freebsd you can encrypt the system pool zroot. But then you have to enter the passphrase on each boot-up.

Please, excuse that I do not know that much about geli and the boot up mechanisms in freebsd. I am still learning.

As far as I know you can use key files to attach a geli device, but how to combine it to be able to use it with a usb stick?

Is it possible? I mean, you have to enter the geli passphrase for zroot before the kernel gets loaded, right?

I have been searching information about that topic, but I only found some kind of strange solutions consisting of sort of "freebsd on usb stick zroot" ... :what:

I would like to know if there is a solution regarding using a usb stick to unlock the zroot pool, so on each system boot you can just use your usb stick to unlock the system or enter the passphrase using IPMI.

I know there is some script for luks in linux. I tried it and it worked on linux. But linux is no option here ;)

I think it is possible to modify the boot up routine of freebsd, so additional encrypted disks could be unlocked automatically by an attached usb stick with a key file on it.

Of course, it is recommended to remove the usb stick from the system, once, it is "unlocked". ;) Main purpose is only to decrypt zroot to boot the machine, not to decrypt any other additional crypted partitions.
 

mtu

Active Member

Reaction score: 115
Messages: 166

Yes, it is possible to use a USB stick that contains a keyfile for geli to unlock a volume. You can find tutorials on how to do this. IPMI is another solution, but only for supporting hardware.

Basically, your question is as old as encryption itself: How can I unlock a system remotely?

My personal solution is rather complicated, but I like it: Having an "outer" system that boots without encryption, and using it to unlock the "inner" system that is encrypted. I describe it here:

 
OP
fr33bsd

fr33bsd

Active Member

Reaction score: 14
Messages: 145

Hi mtu,

and thanks for reply.

Yes, it is possible to use a USB stick that contains a keyfile for geli to unlock a volume. You can find tutorials on how to do this.
Ok, I try to find a working one. ;) Starting the search here in the forum.

Basically, your question is as old as encryption itself: How can I unlock a system remotely?
Not quite, say indirectly. In the first place, I had the idea of using an USB stick like a key in the real world. Just imagine you have to do some maintainance of an encrypted machine (remotely or not ;)). This implies multiple reboots of the system. Entering passphrase few times during short time is exhausting, isn't it? ;)

Thanks for the link. In fact, it looks little complicated, but it seems to be a good concept.
It does provide encryption at rest, so all user data and the inner base system (except /boot) should be locked and protected:
  • when the system is powered down,
  • after a reboot (before unlocking),
  • on the physical drives when removed.
But when I understand it correctly, zfs raid on zroot is not supported, so you need a hardware raid1 controler for the two system disks (for the inner and outer system).
:-/
 

mtu

Active Member

Reaction score: 115
Messages: 166

But when I understand it correctly, zfs raid on zroot is not supported, so you need a hardware raid1 controler for the two system disks (for the inner and outer system).
:-/
In a sense, nothing is 'supported' with freebsd-outerbase, because it's just a script I wrote and used for myself, and then put online.

But: With the right modifications, it's perfectly possible to use it with a raidz pool on geli-encrypted devices.

In any case, I wouldn't recommend using the scripts until you understand ZFS and FreeBSD well enough to adapt them for yourself. Otherwise, you'll be helpless when it comes to adaptations and troubleshooting.
 
OP
fr33bsd

fr33bsd

Active Member

Reaction score: 14
Messages: 145

BTW: I am aware of security issues. The idea of unlocking a system partition with an usb stick to make a system come up does not imply wasting security by additional unlocking of other pools that should be protected with that usb stick. Meaning: in this thread, usage of usb stick is supposed to be used only as an additional option next to passphrase to unlock a system to come up. Just in case somebody starts talking about security issues like here ;)

An unencrypted zroot is less secure than an encrypted zroot, that is supposed to be decrypted by entering passphrase or by pluging in a usb stick with a key file.
 
OP
fr33bsd

fr33bsd

Active Member

Reaction score: 14
Messages: 145

Regarding how-to's. In this forum, I just found some dead ended threads regarding the topic "unlock with usb". Please, correct me, if I used the search function the wrong way ... ;)

one
two
...
other one, but not the intended solution
n-th dead ended one

BTW: Regarding security concerns: ;) There also should be some hardware crypted usb sticks, I guess, so the key file does not have to be stored in plaintext. (see usb sticks with Keypad, MIL-STD-810F, FIPS 140-2 Level 3, 256bit AES-encryption like IS-FL-DA-256-4)

 
Top