GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → stupidpupil → Https Keyscript

stupidpupil / Https Keyscript

Licence: gpl-3.0
Allow a machine with an encrypted boot drive to passwordlessly boot by fetching a key over HTTPS.

Programming Languages

shell
77523 projects

Labels

debian

Projects that are alternatives of or similar to Https Keyscript

Openhabian
openHABian - empowering the smart home, for Raspberry Pi and Debian systems
Stars: ✭ 635 (+2660.87%)
Mutual labels:  debian
Debops
DebOps - Your Debian-based data center in a box
Stars: ✭ 734 (+3091.3%)
Mutual labels:  debian
Cozy
A modern audio book player for Linux using GTK+ 3
Stars: ✭ 821 (+3469.57%)
Mutual labels:  debian
Dotfiles
i3 + Plasma: using the i3 window manager on the top of KDE Plasma and other dotfiles, configurations, scripts, workarounds and practises from my Debian Sid machines.
Stars: ✭ 651 (+2730.43%)
Mutual labels:  debian
Zebra
🦓 A Useful Package Manager for iOS
Stars: ✭ 667 (+2800%)
Mutual labels:  debian
Atomic Toolkit
AtoMiC Toolkit simplifies HTPC / Home Server setup and management on Ubuntu and Debian variants including Raspbian. It currently supports: Couchpotato, Deluged, Emby, FFmpeg, Headphones, Htpcmanager, Jackett, Kodi, Lazylibrarian, Madsonic, Mono, Mylar, Nzbget, Nzbhydra, NzbToMedia, Ombi, Plex, Plexpy, Pyload, qBittorrent, Radarr, Sabnzbd+, Sickgear, Sickrage, Sonarr, Subsonic, Transmission, Unrar, Watcher, and Webmin.
Stars: ✭ 747 (+3147.83%)
Mutual labels:  debian
Deepin Wine Ubuntu
Deepin Wine for Ubuntu/Debian
Stars: ✭ 5,790 (+25073.91%)
Mutual labels:  debian
Swizzin
A simple, modular seedbox solution
Stars: ✭ 888 (+3760.87%)
Mutual labels:  debian
Pi64
A 64-bit OS for the Raspberry Pi 3
Stars: ✭ 720 (+3030.43%)
Mutual labels:  debian
Switch Apt Mirror.ansible.role
switch apt mirror for Debian & Ubuntu with Ansible role.
Stars: ✭ 5 (-78.26%)
Mutual labels:  debian
Sequeler
SQL Client built in Vala
Stars: ✭ 657 (+2756.52%)
Mutual labels:  debian
Plymouth Themes
A hugh collection (80+) of plymouth themes ported from android bootanimations
Stars: ✭ 663 (+2782.61%)
Mutual labels:  debian
Displaylink Debian
DisplayLink driver installer for Debian and Ubuntu based Linux distributions.
Stars: ✭ 768 (+3239.13%)
Mutual labels:  debian
Wordops
Install and manage a high performance WordPress stack with a few keystrokes
Stars: ✭ 649 (+2721.74%)
Mutual labels:  debian
Ts3server Package
A script that generates a debian package for a TeamSpeak 3 Server
Stars: ✭ 5 (-78.26%)
Mutual labels:  debian
Atilo
Linux installer for termux
Stars: ✭ 629 (+2634.78%)
Mutual labels:  debian
Openvpn Install
Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.
Stars: ✭ 7,142 (+30952.17%)
Mutual labels:  debian
Debian Server
Complete Debian/Ubuntu Web Application Server Installation
Stars: ✭ 22 (-4.35%)
Mutual labels:  debian
Rpi Debian Builder
Build your own Debian image for Raspberry Pi
Stars: ✭ 6 (-73.91%)
Mutual labels:  debian
Vlany
Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)
Stars: ✭ 804 (+3395.65%)
Mutual labels:  debian
View All Similar Projects ➔

HTTPS Keyscript

Build Status

A keyscript and initramfs-tools helpers to allow a machine with a LUKS-encrypted boot drive to passwordlessly boot by fetching a remote key over HTTPS.

It is intended to protect against information disclosure in the event of accidental loss or untargeted theft - the key can be removed from the webserver as soon as the loss is noticed. It's not at all secure if you're trying to protect yourself against someone deliberately trying to obtain your information.

Features

  • Falls back to asking for a passphrase if the remote key can't be retrieved
  • Compatible with the Plymouth splash screen
  • Caches keys across devices using the kernel keyring

Example

  1. Create keyfile.
dd if=/dev/random bs=1c count=256 | base64 > unencrypted_keyfile
cat unencrypted_keyfile | openssl enc -base64 -aes-256-cbc -md sha256 -e -salt -out encrypted_keyfile -k somepassphrase
rm unencrypted_keyfile
  1. Make encrypted_keyfile available somewhere on a webserver (e.g. https://example.org/encrypted_keyfile).
  2. Install the keyscript and initramfs hooks.
wget https://github.com/stupidpupil/https-keyscript/releases/download/v1.0.1/https-keyscript_1.0.1_all.deb
sudo dpkg -i https-keyscript_1.0.1_all.deb
  1. Add keyfile to LUKS slots.
busybox sh /lib/cryptsetup/scripts/wget_or_ask "somepassphrase:https://example.org/encrypted_keyfile" > unencrypted_keyfile
sudo cryptsetup luksAddKey /dev/someDevice unencrypted_keyfile
rm unencrypted_keyfile
  1. Update the /dev/someDevice entry in /etc/crypttab with the option keyscript=wget_or_ask and with a 'key file' field like somepassphrase:https://example.org/encrypted_keyfile.
  2. sudo update-initramfs -u

(You might also need to add the initramfs option to the crypttab in step 5 due to systemd's lack of support for keyscripts; see the crypttab man page.)

Caching

The keyscript uses the kernel keyring to cache decrypted keys for 60 seconds, avoiding multiple HTTPS requests where multiple devices have the same key file specified in /etc/crypttab. This feature depends on the keyutils package.

Alternatives

Mandos provides a system with better client authentication and automated detection of a client going offline for an unexpected period of time.

netkeyscript uses link-local IPv6 UDP packets with an unencrypted passphrase.

clevis provides a dracut-based unlocker for use with the tang keyserver.

There are a number of variations on using dropbear or similar to allow remote, but not unattended, restarts with an encrypted boot.

License

This collection of scripts is licensed under the GNU GPLv3.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].