SSH remote ZFS unlocking?
Opened this issue · 1 comments
Hello, this is not an issue but a question/request.
Is there a way to enable SSH to remotely unlock an encrypted ZFS root at boot? I could not find any related documentation.
Something like this dracut module but for booster: https://github.com/gsauthof/dracut-sshd
Thanks
Hi
Booster does not support SSH for remote unlocking. It is a large and complex protocol. Instead, booster supports Tang/EMCR protocol that is much simpler and easier (and does not expose a remote shell). See #24
But the first step here would be implementing ZFS encryption support with a keyfile stored in the image. That's something I need to look at first.
The next step would be to implement handling this file as a clevis-encrypted data.
Once it is implemented, you can easily add different locking policies for your ZFS dataset e.g.:
- network binding - your zfs will automatically unlock only in presence of a key server in your local network
- remote unlocking with tang (it is an equivalent of ssh unlocking you ask)
- TPM unlocking
- Yubikey unlocking