Does a Windows 7 system volume encryption tool exist that allows remote unlocking via ssh during boot phase?

Does a tool/method exist which allows encrypting a Windows 7 system volume while providing the possibility to remotely unlock it via ssh during the boot phase? Is it even possible with Windows 7 (I guess it should be)?

On linux, a LUKS encrypted rootfs can be unlocked via ssh during the boot phase (also see /usr/share/doc/cryptsetup/README.remote.gz on Debian).

The DiskCryptor project comes with a powerful bootloader which allows booting an encrypted system volume by unlocking it via USB or LAN (automatically providing the previously hard-coded password). However, I found no possibility to enter the required unlocking password over a ssh connection and I absolutely don't want to hard-code the password somewhere (not even in my (hopefully) secure LAN).

Therefore, a similar solution to the LUKS approach most probably involves a separate unencrypted boot partition with an ssh server and some boot magic which handles the unlocking and allows chain-loading the encrypted system partition with Windows 7.

Does anything like this exist or is being developed?

speakr

Posted 2012-07-19T15:48:41.060

Reputation: 3 379

1What product did you use to encrypt the disk? You describe Linux parallels instead of describing what you did with Windows. There is not enough info here for a useful answer. – harrymc – 2012-07-24T05:50:31.537

@harrymc I'm not asking for a specific solution e.g. using TrueCrypt. I'm just asking for anything that would allow windows system volume encryption as well as remote unlocking via ssh. Perhaps another fork of TrueCrypt or FreeOTFE or whatever - I would gladly use it and encrypt my system volume with it. I used the LUKS example to show that such solutions exist, at least for linux. (I edited the question for clarification)

– speakr – 2012-07-24T09:14:35.030

1One solution might be to convert Windows 7 into a virtual machine inside Linux. – harrymc – 2012-07-24T09:35:15.957

This article might help you, but I don't have the right environment for it. – harrymc – 2012-07-24T11:48:50.157

@harrymc Hmm, the mentioned TrueCrypt rescue disk must reside in an encrypted folder and GRUB must be able to access it by asking for a password supplied via ssh.. A lot of conditions, but I'll have a look into this - thanks for the hint. – speakr – 2012-07-24T14:21:24.883

I just found this question which mentions kexec. This could be the holy grail: Booting into a LUKS-encrypted linux by unlocking it via ssh, then using kexec to directly boot a TrueCrypt-encrypted windows system volume from there using the TrueCrypt rescue disk. I'll try that. :)

– speakr – 2012-07-24T14:26:34.703

Looks promising indeed. – harrymc – 2012-07-24T15:54:57.380

Hi Speakr Unfortunately I don't have a key in hand solution for you but I think the solution may be using Sysinternals PsExec which allow to run any program remotely. http://technet.microsoft.com/en-us/sysinternals/bb897553

– climenole – 2012-07-25T22:55:49.190

1@climenole PsExec can only be used to execute applications on an already booted windows system. Therefore, it is no solution for my scenario. – speakr – 2012-07-26T07:29:09.910

http://www.intel.com/content/www/us/en/architecture-and-technology/vpro/vpro-technology-general.html Only works if you have the hardware and the 3rd party apps. – Phillip R. – 2012-07-27T01:57:42.080

@PhillipR. I guess you refer to Intel's hardware-based encryption and KVM remote control. As you already mentioned, this depends on very specific hardware and therefore is no feasible solution. – speakr – 2012-07-27T23:00:37.480

@Speakr yeah, that is the only setup that I have ever heard that could do what you are asking. – Phillip R. – 2012-07-28T02:20:15.220

Answers

I finally found an inexpensive solution to this problem by turning a Raspberry Pi Zero W into a remotely accessible USB keyboard.

Steps:

Remotely start the computer with the encrypted Windows system partition using Wake on LAN
Use SSH to remotely access the Pi that is connected to the computer via USB
Send the passphrase to unlock the encrypted Windows partition from the Pi to the computer via USB
Continue booting

This works flawlessly e.g. with a Windows 10 system partition encrypted with VeraCrypt.

speakr

Posted 2012-07-19T15:48:41.060

Reputation: 3 379

The only way to achieve this is to buy network KVM adapter, which can be quite expensive depending on which one you choose. Similar to most BIOS-es, you can't remotely access it unless you have a networked KVM which will essentially put your keyboard, mouse and monitor on the network.

For this example, I will use the bootloader from Truecrypt:

The bootloader is supposed to do one thing (and one thing ONLY) and that is to decrypt your Windows system partition so that the decrypted form of Windows could start booting. For this reason, the bootloader is EXTREMELY lightweight to speed up the time it takes from the power button is pressed to the bootloader screen where it asks for your password for decryption. Therefore, any SSH implementation to the bootloader is unrealistic.

superuser

Posted 2012-07-19T15:48:41.060

Reputation: 3 297

Yes, ssh for a bootloader may be too much overhead; nevertheless the LUKS way works fine. I don't need a powerful all-in-one bootloader, I just need something that works with Windows like LUKS does with Linux. – speakr – 2012-08-18T15:36:56.220

I disagree about a network KVM-adapter being teh only possibility for achieving the OPs result. Using VirtualBox or VMWare for hosting the Windows installation inside a minimal linux dist would probably be the way I'd solve this issue since this gives you access to the system console even during the boot process. It doesn't have to be a large dist however. You could strip it down to just some kind of X and an autoloader for virtualbox/vmware. However, the security of this dist should also be considered since OPs way in might become a source to future security breaches. – Simme – 2012-08-21T05:31:36.897