Chicken and egg, encrypted root FS on remote server

Wed Feb 20 07:20:23 UTC 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2/19/13 10:58 PM, Paul Schenkeveld wrote:
> Ideally I'd like the server to start, do minimal network config,
> run a minimal ssh client (dropbear?) and wait for someone to log
> in, provide the passphrase to unlock the root filesystem and then
> mount the root filesystem and do a normal startup.

At work I have something like this, basically the setup have a small /
that is not encrypted, and I have a script called 'geli0' that starts
network, sshd and waits for the GELI provider be unlocked or someone
hit enter on console (and then unlock from console, of course).

I'm not sure if this is even near your requirement nor it's intended
for use by general public.  Be sure to change ada0s1d to match your
system by the way.

====
#!/bin/sh
#

# PROVIDE: geli0
# BEFORE: disks
# REQUIRE: initrandom
# KEYWORD: nojail

. /etc/rc.subr

name="geli0"
start_cmd="geli0_start"
stop_cmd=":"
required_modules="geom_eli:g_eli"

geli0_start()
{
        fsck -py / || fsck -fy /
        mount -uw /
        /etc/rc.d/hostid start
        /etc/rc.d/hostname start
        /etc/rc.d/devd start
        /etc/rc.d/netif start
        /etc/rc.d/routing start
        /etc/rc.d/sshd start

        echo -n "Waiting ada0s1d to be available, press enter to
continue..."

        while true; do
                if [ -e /dev/ada0s1d.eli ]; then
                        break
                fi
                read -t 5 dummy && break
        done
        /etc/rc.d/sshd stop
        /etc/rc.d/routing stop
        /etc/rc.d/netif stop
        /etc/rc.d/devd stop
}

load_rc_config $name
run_rc_command "$1"
=====

Cheers,

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJRJHk2AAoJEG80Jeu8UPuz1mgH/Rjsk0NgHn6r/mNB+G00OizR
BOprd4wuctvNn/zr/syjM/UqixWI1WIXBDQAICZWTml938i5Mg65bi+qdszmRwbS
zzlSRUJ/N6oYQvUPnuCxjtIU3gvCKplt0bBz/RxRVNSzqMEgOTuta9Kd0IVU2MZW
zVZ0rmClScTA2zgGGFmQCZc1ot5CZfa66psSkdQIwLOvxp2o1ZHzMh5+owG8R0ys
8DE+aQ4d57Vt/JoRQW2W1OIfestOmf1uqL7HsnELL1nF0BTtG8GThfy+RzGAA3mm
vUKXFwiLwon+gJath2eIT2s/tCz5rKPisiXeBqAYUSWUNTqTWf2CXmfMXeL4+TM=
=gcTR
-----END PGP SIGNATURE-----