un modo per sbloccare server cifrati con LUKS

samba 3ac985ec30 adding some code 1 month ago
README.md 3ac985ec30 adding some code 1 month ago
unlock-boot 3ac985ec30 adding some code 1 month ago

README.md

unlock-boot

unlock-boot è un tool per sbloccare server cifrati con LUKS

  • rimane in ascolto facendo un ping al secondo
  • quando la macchina risponde al ping verifica la chiave ssh del server
  • se la chiave è corretta allora invia la passhphrase di luks per fare il boot
  • rimane nuovamente in attesa via ping fino al completamento del boot

add new trusted host

By default the script has no TRUSTED HOST.

TRUSTED HOST are a list of ssh fingerprint insto the unlock-boot script. That's very important because you need to trust the ssh key from the dropbear server starting at the boot (which is not the ssh server of your unlocked machine).

If you are not checking the ssh fingerprint in some TRUSTED HOST you may send the luks key to a random server with the same ip address!

Do be safer is better to add a ssh key into the script as new TRUSED HOST, that's how you can do that:

$ ./unlock-boot -a 192.168.13.12 -s 
2022-03-28 11:20:03 - INFO: Getting ssh key fingerprint
# 192.168.13.12:22 SSH-2.0-OpenSSH_8.4p1 Debian-5                 
2022-03-28 11:20:05 - INFO: Host ssh key:                       
                                                                               
----------- SSH-KEY ---------
myserver.tech ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDUB3sQqMpiuu+5vgsOia4iyOHA30UguQe2HdkWnbmfH0fFx5HbXkHWT5z5N4j8mcblt+WCAyDshl7gGl54X0UE=
----------- *** *** *** ---------

unlock the boot

Once you have added the host in your trusted host you can unlock the boot by specifying the ip address (-a) and the luks password (-p) as you can see from the following output.

./unlock-boot -a 192.168.13.12 -p $(pass me/servername/luks )
...