Native support for outgoing ssh unlocking seems to be available

fetzerms / cryptboot-ssh

Retrieve cryptsetup keyfiles via ssh automatically at boot.

GNU General Public License v2.0

19 stars 9 forks source link

Native support for outgoing ssh unlocking seems to be available #32

Closed 459below closed 1 year ago

459below commented 1 year ago

Experimentally, but officially it seems to have been adapted.

https://manpages.debian.org/experimental/cryptsetup-bin/cryptsetup-ssh.8.en.html

https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/docs/v2.4.0-ReleaseNotes#L58

So the whole implementation seems to now be much, much easier than when this project initially started 8 years ago.

fetzerms commented 1 year ago

@459below thank you very much for bringing this up! Did you already try it out? I am currently thinking of replacing this (still working) way here with either Clevis and Tang or some other way...

459below commented 1 year ago

Not fully yet.

The systemd and cryptsetup packages support this properly starting in Debian 12 / Bookworm, which is to be released in the next two weeks. Since it is already in full-freeze, I upgraded my fleet to Bookworm this weekend.

I will continue testing cryptsetup-ssh in the upcoming week(end)s.

459below commented 1 year ago

I did some testing and it worked for me very smoothly like described in the release note linked above. However, I noticed that:

Seems to be port 22 only
Unlocking the rootfs may not work OOTB

But since it is advertised as an experimental thing, I think that is totally fine.

I looked at the source code and did not see the port to be easily changeable from 22. That would be a big downside for me.

For now I am prioritizing FIDO2 and Clevis and Tang for my personal needs.

fetzerms commented 1 year ago

I guess we should bring this discussion here towards cryptsetup devs. I am happy that this idea here somewhat lives on in the upstream (but I guess they don't even know about this project :-D)

459below commented 1 year ago

As to not have this issue become a zombie, I will close it again.

I have just finished setting up FIDO2 unlocking on Debian Bookworm: https://gitlab.com/-/snippets/2565164#LC44

Of course this is out of scope of this project. However, since FIDO2 works very well on Debian now I have fulfilled my need on local machines. On Fedora it works even slightly better. For remote servers I will probably focus on Clevis and Tang.

However cryptboot-ssh worked very well for 7 years now! No regrets here. 😄