Hi there ! I have a little box at home, hosting some little services for personal use under freebsd with a full disk encryption (geli). I’m never at home and long power outage often occurs so I always need to come back home to type my passphrase to decrypt the disk.

I was searching this week a solution to do it remotely and found the “poor-guy-kvm” solutions turning a Raspberry like board (beaglebone black in my case) in a hid keyboard. It works fine once the computer has booted but once reboot when the passphrase is asked before it loads the loader menu, nothing. When I plug an ordinary USB keyboard I can type my passphrase so USB module is loaded.

Am I missing something ? Am I trying something impossible ?

(I could’ve asked on freebsd forum but… Have to suscribe, presentation, etc… Long journey)

  • jellyfish@sh.itjust.worksEnglish
    4·
    11 months ago

    You gave some options

    • TPM 2 based disk encryption. This is basically what bitlocker does, but it isn’t great. It uses an encryption key stored on your TPM chip, that shouldn’t ever be accessible to be exported. This means the disk should only be decryptable in the machine it’s in. That in conjunction with secure boot can give you some guarantees that the only way to access data is through the the computer itself (no pulling the disk first). The issue is there are many potential vulnerabilities that could subvert this, logoFAIL being the most recent.

    • You could setup a proper KVM. The two gotos are PiKVM and TinyPilot. Jeff Geerling did a good video on these. It’ll cost a few 100 bucks but can definitely be worth it. You might consider a motherboard with a builtin KVM in your next build too.

    • Setup NBDE (Network Bound Disk Encryption). This is pretty new, but what I’m planning to move to. Redhat has an implementation with Tang & Clevis (server and clients). You might be able to eventually use Clevis with other alternative backend too.

    • Jean-Mich Much@jlai.luOPEnglish
      1·
      11 months ago

      Thanks for your answer ! Someone already mention TPM, I will check about that when I will have free time. Already try pikvm and tinypilot with no success unfortunately… Didn’t know NBSDE, will take a look too !

  • Possibly linux@lemmy.zipEnglish
    3·
    11 months ago

    I think you are over thinking it. Most remote solutions like rustdesk and moonlight allow you to remotely log in.

    Another thought is you could setup cockpit so you can control it remotely if everything else fails

  • markstos@lemmy.worldEnglish
    3·
    11 months ago

    You could buy a remote KVM device. The serial port of your target box connects to that and the KVM connects to the internet. With that, you can watch the device during boot and access the console remotely.

    I used to run a web hosting business and we used those. I have not shopped for a personal one, but surely there must be old and used ones for sale.

    Bonus: our hosting business ran on FreeBSD so I can confirm there was no problem there. Because it’s a serial connection no OS support is required.

    • Jean-Mich Much@jlai.luOPEnglish
      2·
      11 months ago

      Hmm I’ve read it’s expensive but never verified I admit it. And no serial port on my box… Will check the price of new and second hand device

  • taladar@sh.itjust.worksEnglish
    1·
    11 months ago

    Not sure about FreeBSD but under Linux I have used SSH based solutions in the past, specifically dracut-sshd to call systemd-tty-ask-password-agent and of course some early network configuration.

  • baduhai@sopuli.xyzEnglish
    1·
    11 months ago

    I’m not sure how it’d work for freebsd, but on Linux, you can get sshd running in your initrd. You can even go as far as getting an onion service running in your initrd, and using that for remote access.

  • Decronym@lemmy.decronym.xyzBEnglish
    1·
    11 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    IP Internet Protocol
    PCIe Peripheral Component Interconnect Express
    SSH Secure Shell for remote terminal access
    ZFS Solaris/Linux filesystem focusing on data integrity

    4 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.

    [Thread #340 for this sub, first seen 8th Dec 2023, 22:45] [FAQ] [Full list] [Contact] [Source code]