Concept / Work in Progress
Remote GELI decryption of NAS4Free from anywhere
After doing much searching, but not seeing good solutions for remotely entering an on-boot passphrase for GELI encryption in FreeBSD, I decided it was time to invent my own.
My Nas4Free lives in an all-in-one ESXi box with the SATA controller passed through to the VM. On this ESXi box also lives my firewall running on PFSense.
If my server goes down, it is pfsense that boots back up first. Followed by Nas4Free. By adding a serial port to each VM, and enabling the serial console in Nas4Free, I can now SSH into my pfsense VM, even from the internet, and connect to the serial port of the Nas4Free VM and supply the GELI password.
This is nice, but kind of a pain in the butt with 12 partitions to decrypt (more on that later). Ideally I'd like one password to enter and have them all decrypted, but I don't really want them to all use the same password.
After considering many options to solve this, originally considering encrypting with keys stored on another GELI image file, I stumbled across a much simpler solution.
Salted hashes. I can develop a secure password has it using the UUID of the disk as a salt and now I have a unique encryption phrase for each disk but only have to enter one password for it.
Now I just need to make this all easier. My plan is to create a user on PFSense who's shell automatically runs a Expect script that asks for the password, then enters each passphrase derived from the password+UUID hash.
Right now this is all very preliminary, and more of a though exercise than anything, but I'll update as I make progress.