Hi, Why not to do little bit diffrently?

1. Server boots into unencrypted kernel with ssh server (it has just that ssh server)
2. Then you connect remotely via ssh and provide password (unlock encrypted disks etc)
3. Then system boots to encrypted environment which you unlocked at step 2
4. profit

No second pc/raspberry is required

I have this done with luks on Debian: https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/ I think you can adapt something similar to your freebsd

Quick google search found:

https://forums.freebsd.org/threads/encrypted-root-with-unencrypted-preboot-and-reboot-r.74378/

https://github.com/Sec42/freebsd-remote-crypto

I'm not sure how it'd work for freebsd, but on Linux, you can get sshd running in your initrd. You can even go as far as getting an onion service running in your initrd, and using that for remote access.

If you have a TPM 2 you can use secure boot (custom keys) to allow Linux to decrypt itself if nothing has changed.

I have a box at home .... I'm never at home.

How is this your home? Please resolve this mystery so I can find sleep again.

Not sure about FreeBSD but under Linux I have used SSH based solutions in the past, specifically dracut-sshd to call systemd-tty-ask-password-agent and of course some early network configuration.

I'm using encrypted ZFS as the root partition on my server and I've (mostly) followed the instructions in point #15 from here: https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Bookworm%20Root%20on%20ZFS.html

This starts dropbear as an SSH server that only has a single task: when someone logs in to it they get asked for the decryption key of the root partition.

I suspect that this could be adopted to whatever encryption mechanism you use.

I didn't follow it exactly, because I didn't want the "real" SSH host keys of the host to be accessible unencrypted in the initrd, so the "locked host" has a different SSH host key than when it is fully booted, which is preferred for me.

I'm in the market for a similar solution. Is the BeagleBone being powered via USB? If so, it might be trying to pull more current than the USB stack will allow at that point. Can you debug the board while it's in the non-working state? Also, does it present as a single HID device?

Have you looked into policy-based decryption? Here's an knowledge base page on the RHEL customer portal that goes over it well. I'm not sure if this will work on freebsd but it does offer a solution that allows for zero-touch reboots.

You gave some options

• TPM 2 based disk encryption. This is basically what bitlocker does, but it isn't great. It uses an encryption key stored on your TPM chip, that shouldn't ever be accessible to be exported. This means the disk should only be decryptable in the machine it's in. That in conjunction with secure boot can give you some guarantees that the only way to access data is through the the computer itself (no pulling the disk first). The issue is there are many potential vulnerabilities that could subvert this, logoFAIL being the most recent.

• You could setup a proper KVM. The two gotos are PiKVM and TinyPilot. Jeff Geerling did a good video on these. It'll cost a few 100 bucks but can definitely be worth it. You might consider a motherboard with a builtin KVM in your next build too.

• Setup NBDE (Network Bound Disk Encryption). This is pretty new, but what I'm planning to move to. Redhat has an implementation with Tang & Clevis (server and clients). You might be able to eventually use Clevis with other alternative backend too.

Did you try this: https://github.com/touchgadget/usbkwa ?

I use this to unlock Windows when I WOL it.

I think you are over thinking it. Most remote solutions like rustdesk and moonlight allow you to remotely log in.

Another thought is you could setup cockpit so you can control it remotely if everything else fails

You could buy a remote KVM device. The serial port of your target box connects to that and the KVM connects to the internet. With that, you can watch the device during boot and access the console remotely.

I used to run a web hosting business and we used those. I have not shopped for a personal one, but surely there must be old and used ones for sale.

Bonus: our hosting business ran on FreeBSD so I can confirm there was no problem there. Because it’s a serial connection no OS support is required.

Like someone already mentioned, you can use dracut-ssh for rpm-based distros or dropbear-initramfs for deb-based distros. My idea would be to use debian as host and virtualize or dockerize the freebsd system/software part.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

4 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.

[Thread #340 for this sub, first seen 8th Dec 2023, 22:45] [FAQ] [Full list] [Contact] [Source code]

New Lemmy Post: Remote solution to decrypt disk at boot (https://lemmy.world/post/9249899)
Tagging: #SelfHosted

(Replying in the OP of this thread (NOT THIS BOT!) will appear as a comment in the lemmy discussion.)

I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md