Skip to content
/ https-keyscript Public

Allow a machine with an encrypted boot drive to passwordlessly boot by fetching a key over HTTPS.

License

GPL-3.0 license
41 stars 10 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

stupidpupil/https-keyscript

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

101 Commits
dist
dist
 
 
src
src
 
 
tests
tests
 
 
tmp
tmp
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.mdown
README.mdown
 
 
build-deb.sh
build-deb.sh
 
 

Repository files navigation

HTTPS Keyscript

Build Status

A keyscript and initramfs-tools helpers to allow a machine with a LUKS-encrypted boot drive to passwordlessly boot by fetching a remote key over HTTPS.

It is intended to protect against information disclosure in the event of accidental loss or untargeted theft - the key can be removed from the webserver as soon as the loss is noticed. It's not at all secure if you're trying to protect yourself against someone deliberately trying to obtain your information.

Features

  • Falls back to asking for a passphrase if the remote key can't be retrieved
  • Compatible with the Plymouth splash screen
  • Caches keys across devices using the kernel keyring

Example

  1. Create keyfile.
dd if=/dev/random bs=1c count=256 | base64 > unencrypted_keyfile
cat unencrypted_keyfile | openssl enc -base64 -aes-256-cbc -md sha256 -e -salt -out encrypted_keyfile -k somepassphrase
rm unencrypted_keyfile
  1. Make encrypted_keyfile available somewhere on a webserver (e.g. https://example.org/encrypted_keyfile).
  2. Install the keyscript and initramfs hooks.
wget https://github.com/stupidpupil/https-keyscript/releases/download/v1.0.1/https-keyscript_1.0.3_all.deb
sudo dpkg -i https-keyscript_1.0.3_all.deb
  1. Add keyfile to LUKS slots.
busybox sh /lib/cryptsetup/scripts/wget_or_ask "somepassphrase:https://example.org/encrypted_keyfile" > unencrypted_keyfile
sudo cryptsetup luksAddKey /dev/someDevice unencrypted_keyfile
rm unencrypted_keyfile
  1. Update the /dev/someDevice entry in /etc/crypttab with the option keyscript=wget_or_ask and with a 'key file' field like somepassphrase:https://example.org/encrypted_keyfile.
  2. sudo update-initramfs -u

(You might also need to add the initramfs option to the crypttab in step 5 due to systemd's lack of support for keyscripts; see the crypttab man page.)

Caching

The keyscript uses the kernel keyring to cache decrypted keys for 60 seconds, avoiding multiple HTTPS requests where multiple devices have the same key file specified in /etc/crypttab. This feature depends on the keyutils package.

Alternatives

Mandos provides a system with better client authentication and automated detection of a client going offline for an unexpected period of time.

netkeyscript uses link-local IPv6 UDP packets with an unencrypted passphrase.

clevis provides a dracut-based unlocker for use with the tang keyserver.

vaultlocker provides helpers for unlocking boot drives using keys stored in Hashicorp Vault.

There are a number of variations on using dropbear or similar to allow remote, but not unattended, restarts with an encrypted boot.

License

This collection of scripts is licensed under the GNU GPLv3.

About

Allow a machine with an encrypted boot drive to passwordlessly boot by fetching a key over HTTPS.

Topics

debian luks plymouth keyscript mandos

Resources

Readme

License

GPL-3.0 license
Activity

Stars

41 stars

Watchers

7 watching

Forks

10 forks
Report repository

Releases 3

v1.0.3 Latest
Jul 13, 2019
+ 2 releases

Packages

No packages published

Languages