Home / server / Questions / 412857
Accepted
altman
Asked: 2012-08-01 05:22:19 +0800 CST

FreeBSD encryption concept: automatic boot without password or key, when mounted by another system?

  • 772

Recently, i installed FreeBSD for work and geli for encryption. (Full disk encyrption without boot partition.) When I finished getting it setup, I found that every time it boots, I need to enter the parse password to mount the root disk.

This is not for my needs. I just want my system to boot automatically, so i can ssh to it. But when others shutdown my machine, and try to use another freeBSD system to mount my disk, they can't. If they mount the partition with another FreeBSD system, they can only see /boot dir. All files are secure!

Is my concept possible? (To have an encrypted system boot automatically if mounted by another system?) And if so, how do I do it with freeBSD?

freebsd

3 Answers

  1. Best Answer

    tl:dr: No

    If you want the key to be used automatically on boot then the key must be accessible on boot. Which means on the unencrypted part of the disk.

    If it is on the unencrypted part of the disk then other can take the disk out of your system, read the key and decrypt the rest of the disk.

    There is no way to properly protect the disk and not to store the key.

    • 3

  2. No. If you wish to decrypt it automatically, you need to have your password stored on the disk in cleartext, or obscured in some (bad) way. Someone with enough willpower will be ably to get that password easily. If only "/boot" is unencrypted, the password has to be there, and the attacker just has to find it.

    If you just don't wish to be physically present to unlock the server, it could be solved by having an unencrypted system installation, which would boot, start services like ssh which would enable you to unlock the data partition from a remote location.

    • 1

  3. I've had a similar problem, which I solve by only encrypting /home. The trouble is /etc/rc.d/geli wants to mount it before continuing with the boot. A kludge would be the do the mount manually post-boot, but I like the way in which it proposes to do it at boot time - I just want the network to start first, since /, /var and /usr aren't encrypted.

    I thus put this:

    /dev/ada0p7.eli /home ufs rw,noauto 0 0

    in /etc/fstab

    Created matching "l" options in rc.conf: lgeli_devices="ada0p7" lgeli_ada0p7_flags="-k /etc/geli/server.key" lgeli_ada0p7_autodetach="NO"

    and then lgeli in /etc/rc.d, like so:

    #!/bin/sh

# PROVIDE: lgeli
# REQUIRE: sshd
# KEYWORD: nojail

. /etc/rc.subr

lgeli_make_list()
{
        local devices devices2
        local provider

        devices="${lgeli_devices}"

        for provider in ${devices}; do
                provider=${provider%.eli}
                provider=${provider#/dev/}
                devices2="${devices2} ${provider}"
        done

        echo ${devices2}
}

name="lgeli"
start_precmd='[ -n "$(lgeli_make_list)" ]'
start_cmd="lgeli_start"
stop_cmd="lgeli_stop"
required_modules="geom_eli:g_eli"

lgeli_start()
{
        devices=`lgeli_make_list`

        if [ -z "${lgeli_tries}" ]; then
                if [ -n "${lgeli_attach_attempts}" ]; then
                        # Compatibility with rc.d/gbde.
                        lgeli_tries=${lgeli_attach_attempts}
                else
                        lgeli_tries=`${SYSCTL_N} kern.geom.eli.tries`
                fi
        fi

        for provider in ${devices}; do
                provider_=`ltr ${provider} '/-' '_'`

                eval "flags=\${lgeli_${provider_}_flags}"
                if [ -z "${flags}" ]; then
                        flags=${lgeli_default_flags}
                fi
                if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; then
                        echo "Configuring Disk Encryption for ${provider}."
                        count=1
                        while [ ${count} -le ${lgeli_tries} ]; do
                                geli attach ${flags} ${provider}
                                if [ -e "/dev/${provider}.eli" ]; then
                                        # LOUIS line below, so long as
                                        # /etc/fstab... noauto line
                                        # present, this works
                                        mount "/dev/${provider}.eli"
                                        break
                                fi
                                echo "Attach failed; attempt ${count} of ${lgeli_tries}."
                                count=$((count+1))
                        done
                fi
        done
}

lgeli_stop()
{
        devices=`lgeli_make_list`

        for provider in ${devices}; do
                if [ -e "/dev/${provider}.eli" ]; then
                        umount "/dev/${provider}.eli" 2>/dev/null
                        geli detach "${provider}"
                fi
        done
}

load_rc_config $name
run_rc_command "$1"

    This way, it's fairly clean, and not too much of a kludge. The mount command in lgeli ensures that the noauto stuff is mounted if geli'd. A bit ugly, but to me the main thing is, I can log in remotely and rescue my desktop from being inaccessible after a power failure, which was the default mode otherwise!

    • 0