Other UnGeli On Stick

fr33bsd

fr33bsd

Hi People,

using freebsd you can encrypt the system pool zroot. But then you have to enter the passphrase on each boot-up.

Please, excuse that I do not know that much about geli and the boot up mechanisms in freebsd. I am still learning.

As far as I know you can use key files to attach a geli device, but how to combine it to be able to use it with a usb stick?

Is it possible? I mean, you have to enter the geli passphrase for zroot before the kernel gets loaded, right?

I have been searching information about that topic, but I only found some kind of strange solutions consisting of sort of "freebsd on usb stick zroot" ... :what:

I would like to know if there is a solution regarding using a usb stick to unlock the zroot pool, so on each system boot you can just use your usb stick to unlock the system or enter the passphrase using IPMI.

I know there is some script for luks in linux. I tried it and it worked on linux. But linux is no option here ;)

I think it is possible to modify the boot up routine of freebsd, so additional encrypted disks could be unlocked automatically by an attached usb stick with a key file on it.

Of course, it is recommended to remove the usb stick from the system, once, it is "unlocked". ;) Main purpose is only to decrypt zroot to boot the machine, not to decrypt any other additional crypted partitions.
 
Yes, it is possible to use a USB stick that contains a keyfile for geli to unlock a volume. You can find tutorials on how to do this. IPMI is another solution, but only for supporting hardware.

Basically, your question is as old as encryption itself: How can I unlock a system remotely?

My personal solution is rather complicated, but I like it: Having an "outer" system that boots without encryption, and using it to unlock the "inner" system that is encrypted. I describe it here:

github.com

GitHub - emtiu/freebsd-outerbase: install script for a remote-unlockable FreeBSD system with geli-encrypted root-on-zfs

install script for a remote-unlockable FreeBSD system with geli-encrypted root-on-zfs - emtiu/freebsd-outerbase
github.com github.com
 
Hi mtu,

and thanks for reply.

Yes, it is possible to use a USB stick that contains a keyfile for geli to unlock a volume. You can find tutorials on how to do this.
Click to expand...
Ok, I try to find a working one. ;) Starting the search here in the forum.

Basically, your question is as old as encryption itself: How can I unlock a system remotely?
Click to expand...
Not quite, say indirectly. In the first place, I had the idea of using an USB stick like a key in the real world. Just imagine you have to do some maintainance of an encrypted machine (remotely or not ;)). This implies multiple reboots of the system. Entering passphrase few times during short time is exhausting, isn't it? ;)

Thanks for the link. In fact, it looks little complicated, but it seems to be a good concept.
It does provide encryption at rest, so all user data and the inner base system (except /boot) should be locked and protected:
  • when the system is powered down,
  • after a reboot (before unlocking),
  • on the physical drives when removed.
Click to expand...
But when I understand it correctly, zfs raid on zroot is not supported, so you need a hardware raid1 controler for the two system disks (for the inner and outer system).
:-/
 
fr33bsd said:
But when I understand it correctly, zfs raid on zroot is not supported, so you need a hardware raid1 controler for the two system disks (for the inner and outer system).
:-/
Click to expand...
In a sense, nothing is 'supported' with freebsd-outerbase, because it's just a script I wrote and used for myself, and then put online.

But: With the right modifications, it's perfectly possible to use it with a raidz pool on geli-encrypted devices.

In any case, I wouldn't recommend using the scripts until you understand ZFS and FreeBSD well enough to adapt them for yourself. Otherwise, you'll be helpless when it comes to adaptations and troubleshooting.
 
BTW: I am aware of security issues. The idea of unlocking a system partition with an usb stick to make a system come up does not imply wasting security by additional unlocking of other pools that should be protected with that usb stick. Meaning: in this thread, usage of usb stick is supposed to be used only as an additional option next to passphrase to unlock a system to come up. Just in case somebody starts talking about security issues like here ;)

An unencrypted zroot is less secure than an encrypted zroot, that is supposed to be decrypted by entering passphrase or by pluging in a usb stick with a key file.
 
Regarding how-to's. In this forum, I just found some dead ended threads regarding the topic "unlock with usb". Please, correct me, if I used the search function the wrong way ... ;)

one
two
...
other one, but not the intended solution
n-th dead ended one

BTW: Regarding security concerns: ;) There also should be some hardware crypted usb sticks, I guess, so the key file does not have to be stored in plaintext. (see usb sticks with Keypad, MIL-STD-810F, FIPS 140-2 Level 3, 256bit AES-encryption like IS-FL-DA-256-4)

 
You must log in or register to reply here.
Back
Top