6

I have some servers I'd like to keep on encrypted disks, but I don't want to have to manually type a passphrase at every boot. I also don't want to keep the key on the machine unencrypted. TPM would be a natural fit here, but what if someone steals the entire machine?

What if I set up a "cluster" of sorts, where each machine only stored the other machine's keys on something that was encrypted at rest? So now, only if all the machines in the cluster were offline at the same, a passphrase would be manually supplied, but only on one of the machines.

Each node would have an initramdisk with a dropbear instance and couple of scripts that would:

  1. Try detecting other nodes in the cluster.
  2. Send some request to the other node to turn around and log in via ssh, and supply the key for the local root filesystem.
  3. If no hosts are in the cluster, or no hosts have the appropriate ssh key, prompt for a passphrase.

This way, no keys are stored unencrypted anywhere, and I can reboot all my servers, so long as at least one stays up at a given time. If they're all down at once, I have to type a password.

Would this be an secure solution? If not, could the basic idea be modified to be made a secure solution?

(Also, is there an existing name for this type of setup?)

librett0
  • 79
  • 1
  • 3
  • 1
    This looks more like a Serverfault question, because it is about the operation of the servers, not the security of the servers, per se. – schroeder Jan 30 '16 at 00:36
  • 1
    This isn't high availability, this is automatic / unattended reboots. Highly available services are typically done using multiple systems that can keep offering the service if one machine dies. It can wait until someone types in the password (and more importantly figure out the cause of the reboot) before returning to service. If availability was my concern this isn't an area I'd focus on. –  Jan 30 '16 at 12:11
  • AFAIK, there is no supported way to accomplish this securely. There are some projects that show you how to create a custom initrd/initramfs that is network enabled and has a ssh key embeded in it, will ssh to a host, grab a passphrase to decrypt the disk, etc. I would not do this in an environment that requires high availabilty. Those methods are still very hackish and prone to problems at this time. If enough people ask for it, you may be able to get your OS vendor to create an unsupported package that does this, but even that is unlikely. Good question though. – Aaron Jan 30 '16 at 14:59
  • This is a very complicated setup, and without knowing more about the why it's hard to advise on it. Exactly what kind of adversary are you trying to defeat here? You mention the servers being stolen, and are concerned about a situation where *all* the machines are off, but not one where just one or two are off. Is the mass shutdown+theft of the server cluster really of that much concern? If so, physical security would be the place to approach this, not server security. But otherwise, I see a hole in this plan: if one server is compromised, they have the key to another and can hop. Not good. – Joshua Boniface Feb 08 '17 at 02:30

1 Answers1

0

This is only a partial answer, but have you looked into arver? Arver is a tool to manage LUKS-encrypted disks on different systems by different people.