Unlock GELI partitions at boot through SSH

[freezr]

The next script is even more atrocious because it was directly modified by me...

FIX-ME

# template on how to get everyting clean after a disk failuer /change

echo "Please don't run without checking contents first" >&2
exit 1

# Which disk?
geom0=ada0
zgeom=zroot0

good=ada1

# applicable lines from CRYPT
gpart create -s gpt $geom0
gpart add -b 64 -s 512k  -t freebsd-boot       $geom0
gpart add -l boot0 -s 1G -t freebsd-ufs  -a 4k $geom0
gpart add -l swap0 -s 2G -t freebsd-swap -a 4k $geom0
gpart add -l zroot0      -t freebsd-zfs  -a 4k $geom0

#alternatively, copy from good disk
# gpart backup $good | gpart restore $geom0

gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 $geom0 

# make gmirrors healthy again
gmirror forget swap
gmirror insert swap ${geom0}p3

gmirror forget boot
gmirror insert boot ${geom0}p2

# needs crypto passphrase
geli init -s 4096 /dev/gpt/$zgeom
geli attach /dev/gpt/$zgeom

zpool replace tank /dev/gpt/${zgeom}.eli

# check status
zpool status -x tank
gmirror list boot |grep ^State
gmirror list swap |grep ^State

 

[freezr]

Unmodified scripts:

DESTROY

# Used during testing to undo the setup
umount /mnt/xboot
zpool destroy tank
geli detach gpt/zroot

SSH

# Use this if you want to SSH to the box during setup
mkdir /tmp/etc
mdmfs -s32m -S md /tmp/etc
mount -t unionfs /tmp/etc /etc
passwd root
#dhclient ...
sed -i '' -e 's/^#\(PermitRootLogin\).*/\1 yes/' /etc/ssh/sshd_config
service sshd onestart

 

[freezr]

Just to avoid issues, the scripts above honor the original public domain license:

This is free and unencumbered software released into the public domain.

Anyone is free to copy, modify, publish, use, compile, sell, or
distribute this software, either in source code form or as a compiled
binary, for any purpose, commercial or non-commercial, and by any
means.

In jurisdictions that recognize copyright laws, the author or authors
of this software dedicate any and all copyright interest in the
software to the public domain. We make this dedication for the benefit
of the public at large and to the detriment of our heirs and
successors. We intend this dedication to be an overt act of
relinquishment in perpetuity of all present and future rights to this
software under copyright law.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.

For more information, please refer to <http://unlicense.org>

Sources:​

GitHub - Sec42/freebsd-remote-crypto: Scripts to setup a remote crypted freebsd

Scripts to setup a remote crypted freebsd. Contribute to Sec42/freebsd-remote-crypto development by creating an account on GitHub.

github.com

GitHub - oxfox22/freebsd-remote-crypto-single-drive: Scripts to setup a remote crypted freebsd - runnig on one drive (no mirrored drives!)

Scripts to setup a remote crypted freebsd - runnig on one drive (no mirrored drives!) - oxfox22/freebsd-remote-crypto-single-drive

github.com

 

[freezr]

The computer should arrive tomorrow... I really hope (better dreaming) the scripts work out-of-the-box...
It would be a shame fall-back on Linux just because it is easier...

 

[T-Daemon]

The computer should arrive tomorrow... I really hope (better dreaming) the scripts work out-of-the-box...
It would be a shame fall-back on Linux just because it is easier...

Actually those scripts are not absolutely necessary.

Basically they install two systems side by side on one or multiple disk, one unencrypted, the other encrypted. This can also be done with the FreeBSD installer by running it twice on the booted installer system,

First install encrypted "Auto (ZFS) Guided Root-on-ZFS", create a large swap in size of "swap + unencrypted system", let's say 8G swap, 2G for the unencrypted system, 10G in total.

After the encrypted Root-on-ZFS installation has finished, exit and restart the bsdinstall(8) system installer, walk through the menus keymap, hostname, at the "Partitioning" menu enter "Manual Disk Setup", delete swap, create first a swap, then the unencrypted-system freebsd-ufs partition (set Typ, Size, Mountpoint, Label), "Finish" partition editor, complete the installation.

Exit the FreeBSD installer, remove BOOT and GELIBOOT flags from the encrypted Root-on-ZFS provider (geli(8) configure -BG <provider>).

The unencrypted UFS system, running the stock sshd, can be accessed now by ssh clients without the need of installing security/dropbear. On the positive side, with this method, the unencrypted system can be easily updated/upgraded with system tools without relying on custom scripts.

Note: Alternatively, the unencrypted system can be installed on a USB stick instead. The file system can be ZFS instead of UFS, however, this requires additional steps compared to UFS when installed unencrypted and encrypted systems on one disk.

 

[freezr]

T-Daemon thank you very much, I tried with the installer but I wasn't able to achieve anything because I really didn't understand the whole point. I was comparing it with Debian, and I was convinced that I was just creating a boot partition with dropbear to unlock the encrypted one.

Now I get it, I have to perform two installations side-by-side however I still need to use Dropbear to unlock the GELI session through SSH...

 

[T-Daemon]

If you try the method I described and have trouble setting up a working system, I can walk you through the steps. No problem.

 

[freezr]

If you try the method I described and have trouble setting up a working system, I can walk you through the steps. No problem.

Thank you very much!

 

[freezr]

Some updates...

If I leave the freebsd-boot partition from the first (ZFS) installation system is unable to boot; and if I delete and create a new boot partition it doesn't see the GELI one.

However I realized that I don't want to follow this route. I want this computer to be like a black-box, on the other end with two OS, anyone who runs the mini pc can clearly see there is a FreeBSD OS installed on it. Also, especially if I install the OS on the same disk, I have to taking care about two oses to run the same computer.

It would be cool to directly unlock GELI remotely from SSH, unfortunately it is not yet possible, having two system side-by-side looks to me inconvenient and risky. It is very disappointing but it is the reality...