this post was submitted on 07 Dec 2023
52 points (100.0% liked)

Selfhosted

40906 readers
480 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hi there ! I have a little box at home, hosting some little services for personal use under freebsd with a full disk encryption (geli). I'm never at home and long power outage often occurs so I always need to come back home to type my passphrase to decrypt the disk.

I was searching this week a solution to do it remotely and found the "poor-guy-kvm" solutions turning a Raspberry like board (beaglebone black in my case) in a hid keyboard. It works fine once the computer has booted but once reboot when the passphrase is asked before it loads the loader menu, nothing. When I plug an ordinary USB keyboard I can type my passphrase so USB module is loaded.

Am I missing something ? Am I trying something impossible ?

(I could've asked on freebsd forum but... Have to suscribe, presentation, etc... Long journey)

top 41 comments
sorted by: hot top controversial new old
[–] markomas 16 points 1 year ago (1 children)

Hi, Why not to do little bit diffrently?

  1. Server boots into unencrypted kernel with ssh server (it has just that ssh server)
  2. Then you connect remotely via ssh and provide password (unlock encrypted disks etc)
  3. Then system boots to encrypted environment which you unlocked at step 2
  4. profit

No second pc/raspberry is required

I have this done with luks on Debian: https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/ I think you can adapt something similar to your freebsd

Quick google search found:

https://forums.freebsd.org/threads/encrypted-root-with-unencrypted-preboot-and-reboot-r.74378/

https://github.com/Sec42/freebsd-remote-crypto

[–] [email protected] 5 points 1 year ago (1 children)

Shit, i totally missed this one, maybe not searching with good keywords... Thanks a lot, I've read fast for the moment so it doesn't seems to be fully encrypted but scenario in the forum and solution proposed can answer my needs (sorry for bad English ). Thanks !

[–] [email protected] 3 points 1 year ago

The key to a good search is to know what your are looking for.

If you know what you are looking for
I know how you feel brother.
At least we have the awesome members of the community showing us the other options!

[–] [email protected] 12 points 1 year ago* (last edited 1 year ago) (1 children)

I'm not sure how it'd work for freebsd, but on Linux, you can get sshd running in your initrd. You can even go as far as getting an onion service running in your initrd, and using that for remote access.

[–] [email protected] 2 points 1 year ago

Yeah someone already told Me that some years ago (yeah, years ago...) but it doesn't work exactly like that with freebsd , it's possible but not full encrypted disk solution . thanks for your answet

[–] raldone01 11 points 1 year ago* (last edited 1 year ago) (2 children)

If you have a TPM 2 you can use secure boot (custom keys) to allow Linux to decrypt itself if nothing has changed.

[–] [email protected] 2 points 1 year ago

Didn't know this thing, I will check about that, thanks !

[–] [email protected] 1 points 1 year ago (1 children)

What do you mean by if nothing has changed? Wouldnt this mean someone could physically steal the machine and then boot it up somewhere else and it'd auto decrypt itself?

[–] raldone01 5 points 1 year ago* (last edited 1 year ago)

Yes. That is possible. However if the hardware configuration/software configuration changes the TPM should trip and prevent decryption.

The attackers would have to break you ssh/terminal/lock screen/other insecure software. However code injection should be impossible because you used custom secure boot keys and ideally a signed unified kernel image. (Can't even change kernel params without tripping TPM.)

You would not be safe if they did a bus listening attack or if your shell pwd is not safe. If that is your threat vector this may not be a good option for you.

[–] [email protected] 9 points 1 year ago (1 children)

I have a box at home .... I'm never at home.

How is this your home? Please resolve this mystery so I can find sleep again.

[–] [email protected] 3 points 1 year ago

I have not said "I have a box at my home" , just "at home" ;)

[–] [email protected] 8 points 1 year ago (1 children)

Not sure about FreeBSD but under Linux I have used SSH based solutions in the past, specifically dracut-sshd to call systemd-tty-ask-password-agent and of course some early network configuration.

[–] [email protected] 1 points 1 year ago

Yeah someone already told Me that some years ago (yeah, years ago...) but it doesn't work exactly like that with freebsd , it's possible but not full encrypted disk solution . thanks for your answer

[–] [email protected] 7 points 1 year ago (1 children)

I'm using encrypted ZFS as the root partition on my server and I've (mostly) followed the instructions in point #15 from here: https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Bookworm%20Root%20on%20ZFS.html

This starts dropbear as an SSH server that only has a single task: when someone logs in to it they get asked for the decryption key of the root partition.

I suspect that this could be adopted to whatever encryption mechanism you use.

I didn't follow it exactly, because I didn't want the "real" SSH host keys of the host to be accessible unencrypted in the initrd, so the "locked host" has a different SSH host key than when it is fully booted, which is preferred for me.

[–] [email protected] 3 points 1 year ago

I've read that freebsd 14 proposed zfs native encryption, so it could worked. Maybe it's time to upgrade, I will see. Thanks !

[–] SpaceNoodle 4 points 1 year ago (1 children)

I'm in the market for a similar solution. Is the BeagleBone being powered via USB? If so, it might be trying to pull more current than the USB stack will allow at that point. Can you debug the board while it's in the non-working state? Also, does it present as a single HID device?

[–] [email protected] 1 points 1 year ago

Yes the beaglebone black is currently powered by USB. Unfortunately I am not able to debug the board while it's not working due to my lack of skill... I don't know how to do... Maybe I can read dmesg on the bbb for a message stating this nonworking state while it asks for passphrase on the PC for a first step... Yes once it's booted, freebsd see it as a single hid device, just a hid device

[–] loganb 4 points 1 year ago (2 children)

Have you looked into policy-based decryption? Here's an knowledge base page on the RHEL customer portal that goes over it well. I'm not sure if this will work on freebsd but it does offer a solution that allows for zero-touch reboots.

[–] [email protected] 1 points 1 year ago

Oh interesting, I will read that back to my computer , thanks !

[–] [email protected] 1 points 1 year ago

Oh interesting, I will read that back to my computer , thanks !

[–] [email protected] 4 points 1 year ago (1 children)

You gave some options

  • TPM 2 based disk encryption. This is basically what bitlocker does, but it isn't great. It uses an encryption key stored on your TPM chip, that shouldn't ever be accessible to be exported. This means the disk should only be decryptable in the machine it's in. That in conjunction with secure boot can give you some guarantees that the only way to access data is through the the computer itself (no pulling the disk first). The issue is there are many potential vulnerabilities that could subvert this, logoFAIL being the most recent.

  • You could setup a proper KVM. The two gotos are PiKVM and TinyPilot. Jeff Geerling did a good video on these. It'll cost a few 100 bucks but can definitely be worth it. You might consider a motherboard with a builtin KVM in your next build too.

  • Setup NBDE (Network Bound Disk Encryption). This is pretty new, but what I'm planning to move to. Redhat has an implementation with Tang & Clevis (server and clients). You might be able to eventually use Clevis with other alternative backend too.

[–] [email protected] 1 points 1 year ago

Thanks for your answer ! Someone already mention TPM, I will check about that when I will have free time. Already try pikvm and tinypilot with no success unfortunately.. Didn't know NBSDE, will take a look too !

[–] [email protected] 3 points 1 year ago

I think you are over thinking it. Most remote solutions like rustdesk and moonlight allow you to remotely log in.

Another thought is you could setup cockpit so you can control it remotely if everything else fails

[–] markstos 3 points 1 year ago (1 children)

You could buy a remote KVM device. The serial port of your target box connects to that and the KVM connects to the internet. With that, you can watch the device during boot and access the console remotely.

I used to run a web hosting business and we used those. I have not shopped for a personal one, but surely there must be old and used ones for sale.

Bonus: our hosting business ran on FreeBSD so I can confirm there was no problem there. Because it’s a serial connection no OS support is required.

[–] [email protected] 2 points 1 year ago

Hmm I've read it's expensive but never verified I admit it. And no serial port on my box... Will check the price of new and second hand device

[–] [email protected] 3 points 1 year ago (1 children)

Did you try this: https://github.com/touchgadget/usbkwa ?

I use this to unlock Windows when I WOL it.

[–] [email protected] 1 points 1 year ago

Hmm seems to be hid keyboard "emulator" too. Having tried this kind of solution makes me think I have a problem with the hid module at boot so I will maybe abandoned this solution, will see. Thanks for your answer !

[–] plague_sapiens 2 points 1 year ago (1 children)

Like someone already mentioned, you can use dracut-ssh for rpm-based distros or dropbear-initramfs for deb-based distros. My idea would be to use debian as host and virtualize or dockerize the freebsd system/software part.

[–] [email protected] 2 points 1 year ago (1 children)

Thanks for your answer but... I like freebsd as a host

[–] plague_sapiens 1 points 1 year ago (1 children)

Tried to help :P What's your take on using freebsd instead of linux? More security?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

No problem, I appreciate ;) I hope my answer was not too rude !

At the beginning to try something different, curiosity. I've began to write a comparison but in fact I can not doing that because I never used Linux for self hosted services, just for user things like... Checking my mails. I find it easier for that side.

But, for example , after setting my first jails , I've read how I could've done it on Linux. I've found lxc (for example) hard to learn and configure while chroot was not enough secure to my taste without a little bit tuning. Jail is native, it's one conf file, easy to read and write, and four lines in rc.conf to enable it (with its own virtual network interface). With zfs it's easy to deploy the same base system for all your jails and to maintain it update and it's fully isolated. Want to enable another service ? Write theservice_load="YES" in rc.conf. no systemd linking with some file or whatever I don't know. Same if you want an additional virtual network (+1 more line). Customizing your kernel, build it and installing it is one conf file to edit +4 for short command line (don't know how to do on Linux)...

Again it's not a comparison, it's just why I stay with freebsd, maybe it's more comfortable to me because I'm not doing real hard security things, I'm not a pro sysadmin , but I found doing and learning those things (customizing kernel, jails and other things) was (really) easy when reading the clear docs. And many security things are native.

Sorry for the long answer ^

[–] plague_sapiens 2 points 1 year ago (1 children)

Your answer wasn't rude at all :) and thanks for the long one! Looks like I should try FreeBSD again, last time I was just overwhelmed, but that's many years ago. My last try was OPNsense which didn't work like I wanted it to (stupid IPv6-to-IPv4 tunnel, which didn't properly reconnect after the 24h ISP disconnection and my script to fix this fucked up latency and gaming wasn't possible because of stutters (probably packet loss too)). Security is the main aspect of my try to use it. Linux can be like a swiss cheese if misconfigured. Still better than Windows (Server) tho xD

[–] [email protected] 1 points 1 year ago (1 children)

Yeah, not hard to do better than windows ! ;) I thought freebsd has many improvements each new versions so if your try was many years ago maybe you will find something interesting today... Or maybe not ;) It wasn't possible to fix the latency because of people who suffered of speech disorder ?

[–] plague_sapiens 1 points 1 year ago (1 children)

What? xD The script used the DSL modems IPv6 WAN IP to set up the IPv6-to-IPv4 tunnel (to get IPv4 working) each time my ISP dropped the connection after 24h (standard DSL procedure over here in DE) or rnd reconnection. But somehow that script triggered a higher latency and probably packet loss/delay (couldn't measure it, cause it only appeared in fast paced shooters like MW2019). Without the script everything ran fine except IPv4 after disconnections, which had to be setup manually. After that I sent the DSL modem back and returned to my AVM FritzBox as my main router. Can't really say if it was directly the scripts fault or sth else in my OPNsense setup (low powered CPU, USB ethernet adapter, 4 port gbit LAN PCIe card, defective RAM, ...). Maybe I'll try a similar setup again some time, because I kinda liked OPNsense...

[–] [email protected] 1 points 1 year ago (1 children)

You said

gaming wasn't possible because of stutters

I searched what 'stutters' mean, I don't know this word, and I've just found the definition of people who suffer of speech disorder :)

I wouldn't trust USB Ethernet adapter if latency is important to me but maybe I'm wrong it's just superstition. I've just used one time OPNsense for the work and just for checking some network information but I remember saying it was a nice web ui haha

[–] plague_sapiens 2 points 1 year ago (1 children)

Ah, yeah stutters has different meanings. One being people with a speech disorder and the other one is usually used for display issues (like tearing). It felt like I was using a low refresh rate screen with really low fps, but had 144Hz and 144 fps xD

USB can ramp up latency for sure, should be because of I/O overhead, which usually is ignorable when the HW is fast enough ime.

Now my fingers are itchy to try FreeBSD and OPNsense again, haha. Like I haven't already enough stuff to do and test...

[–] [email protected] 1 points 1 year ago (1 children)

Oh okay , thanks for the definition !

Haha sorry to wake up unreasonable curiosity to you ! :D

[–] plague_sapiens 2 points 1 year ago

No problem, indeed I like unreasonable curiosity a lot xD

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
IP Internet Protocol
PCIe Peripheral Component Interconnect Express
SSH Secure Shell for remote terminal access
ZFS Solaris/Linux filesystem focusing on data integrity

4 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.

[Thread #340 for this sub, first seen 8th Dec 2023, 22:45] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] -2 points 1 year ago (1 children)

New Lemmy Post: Remote solution to decrypt disk at boot (https://lemmy.world/post/9249899)
Tagging: #SelfHosted

(Replying in the OP of this thread (NOT THIS BOT!) will appear as a comment in the lemmy discussion.)

I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md

[–] [email protected] 1 points 1 year ago