booster icon indicating copy to clipboard operation
booster copied to clipboard

Published 20 hours ago verified publisher icon anatol

SSH remote ZFS unlocking?

Open sotiris-bos opened this issue 2 years ago • 1 comments

Hello, this is not an issue but a question/request.

Is there a way to enable SSH to remotely unlock an encrypted ZFS root at boot? I could not find any related documentation.

Something like this dracut module but for booster: https://github.com/gsauthof/dracut-sshd

Thanks

sotiris-bos avatar Oct 13 '22 13:10 sotiris-bos

Hi

Booster does not support SSH for remote unlocking. It is a large and complex protocol. Instead, booster supports Tang/EMCR protocol that is much simpler and easier (and does not expose a remote shell). See https://github.com/anatol/booster/issues/24

But the first step here would be implementing ZFS encryption support with a keyfile stored in the image. That's something I need to look at first.

The next step would be to implement handling this file as a clevis-encrypted data.

Once it is implemented, you can easily add different locking policies for your ZFS dataset e.g.:

  1. network binding - your zfs will automatically unlock only in presence of a key server in your local network
  2. remote unlocking with tang (it is an equivalent of ssh unlocking you ask)
  3. TPM unlocking
  4. Yubikey unlocking

anatol avatar Oct 13 '22 22:10 anatol