4

I have a server installed with zentyal 3.0.2 (based on ubuntu 12.04.2) with full-disk encryption.

While I successfully send the WOL packet and turn on the server, the boot process does not complete since the server disk is encrypted and I need to enter the valid pass phrase before proceeding.

Is there any application that can be used to send the pass phrase?

wol is really useful when we need to manage the server remotely.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
Daniel
  • 61
  • 1
  • 2
  • 5
    You could leave it powered on. It is a server, after all. – Michael Hampton Jul 23 '13 at 08:15
  • @MichaelHampton there are plenty of situations where you can't - power failures or past-update reboots being the most "popular" ones. – the-wabbit Jul 23 '13 at 09:34
  • Thats a very good question - there are cases where one might desire a fully encrypted server with the option to wake on lan. –  Sep 05 '16 at 02:25

2 Answers2

8

To decrypt the boot volume you'll have to use some kind of lights-out management or Intelligent Platform Management Interface (IPMI). This will give you a remote console onto the server so you can type in that passphrase. Common examples of this are the ILO on HP servers or the DRAC on Dell servers.

If you're sending a WOL packet, I really doubt there's a lot of extra overhead in opening up a management console to type in the passphrase. With that said, this is an opportunity to revisit why you're doing all of this:

  • Why are you powering off the server? Servers are designed to stay on all the time, if you have a power constraint or similar you should explore some power saving options that allow you to leave the server running.
  • Why is the boot volume encrypted? On-disk encryption only really helps if you believe that the entire server will be physically stolen and someone will try to steal the data. Is your data worth stealing? What happens if someone steals it? Shouldn't you store your server in a place that's physically protected under lock and key?
  • Even if your disk is encrypted, it has to remain decrypted while the system runs. This means that if you get hacked, your on-disk encryption is worthless because the attacker just stole your unencrypted data off the running system.

Please think about why you're solving this problem and what business purpose it serves.

Joel E Salas
  • 5,562
  • 15
  • 25
  • Thank you very much for your quick help and valuable explanation. – Daniel Jul 23 '13 at 08:27
  • full volume encryption is generally protecting "data at rest" which also would include pulled HDDs, so there are good use cases for it even if you have a good degree of physical security in place. – the-wabbit Jul 23 '13 at 09:04
  • On top, you likely can encrypt - if professional equipment is used - without asking for a boot phase, by having the envvryoption information stored in a TPM - Trusted Platform Module. – TomTom Jul 23 '13 at 09:27
2

As you need to provide the pass phrase before the system boot completes and networking is started up, you would need another server with the ability to control your starting one.

Lights-out management features / BMCs provide exactly that, are built into most modern / decent server machines and just need configuration (typically you can change the basic settings like IP address, network port and console redirection through the BIOS setup).

Even if the basic license often does not allow for full graphical console access (HP iLO, Dell DRAC), you can set up a serial port redirection - i.e. the BMC would provide a network socket redirecting inputs/outputs to/from the serial port controller. Setting up the bootloader and the Linux kernel to use this serial port as a console would provide you with an ability to read console outputs and provide console inputs via the network socket set up by the BMC.

If you do not have a BMC with your system, you still have a variety of options:

  • an addon-card providing BMC-like features (remote management card / remote access card)
  • a KVM-over-IP switch or a KVM IP extender which is an external box and connects to your server's VGA/keyboard/USB ports like this one
  • a serial server or a device supporting serial port redirection as per RFC2217 - e.g. a Mikrotik router in conjunction with the serial console setup described above.
Community
  • 1
the-wabbit
  • 40,319
  • 13
  • 105
  • 169