I need encrypt whole disk on Debian 7.5, (it will be work as server) but I need enter encryption password via SSH. So I need encrypt whole disk except primary system features as ssh server, because for example I need remotely restart this server. Do you know about any effective options?
Add a comment |
1 Answer
- First step would be to decide what needs to be encrypted and what not. There is no need to encrypt a standard debian server release, its not like it contains any secrets. Create at least two partitions, one for the normal stuff and one for the sensitive stuff.
- Then you install the complete server as normal, without any sensitive data (on the normal partition).
- Disable autostarting for all services that need the sensitive data.
- Setup the encryption stuff, see if manual mounting and manual starting the servers work.
Finally, to reduce work needed, create a script to automate that. For example name it /root/decrypt-and-start.sh
#!/bin/sh # mount the encrypted filesystem # this will ask for a password mount-encrypted-file-system # start the services service apache2 start service foo start- You can no start this script with
ssh root@server ./decrypt-and-start.sh, you will need to provide the root password (or use passwordless authentication) and the disk password.
- What software, system feature would you use here to do the encyrpt/decryption. Truecrypt, sshfs?mdpc– mdpc2014-05-21 20:00:42 +00:00Commented May 21, 2014 at 20:00
- I think dm-crypt will be the easiest. Please note: sshfs does not provide encryption of data, it can only be used to access data (in a secure way) that is stored on the server, but the server will need to store the data securely itself. TrueCrypt might be an option.Fabian– Fabian2014-05-21 20:28:33 +00:00Commented May 21, 2014 at 20:28
- Thanks for reply. I am understand that ssh does not provide data encryption. I want only enter encryption password via SSH. So I will install Debian 7.5 and during this installation I will create one partition with mount point "/" What capacity is sufficient? And after I create small swap and encrypted partition with other disk space. And it will has mount point for example /root, (I will login as root) and Can I encrypt it during installation? After I will do on automatically script...Mato– Mato2014-05-23 15:49:57 +00:00Commented May 23, 2014 at 15:49
- I am not aware of a complete disk encryption (including rootfs) that works over ssh for booting. Also you might not want to use an unencrypted swap. Certain directories should be available for booting, this includes /root, in particular if you want to connect via ssh.Fabian– Fabian2014-05-23 15:52:47 +00:00Commented May 23, 2014 at 15:52