Remote system unlock through Tor on boot

4 respostas [Última entrada]
amuza
Desconectado
Joined: 02/12/2018

Hello,

I've been asking around for some help related to Debian and Tor (I asked in the TorProject IRC, in the tor-onions mailing list and in debian-user mailing list) but I have not managed to have my problem solved.

I would like to be able to remotely unlock through Tor a system that is booting and has its system (root partition) LUKS-encrypted.

I learnt to do so without Tor. With software like dropbear-initramfs and cryptsetup-initrafs I can remotely unlock a server that is trying to boot but has its root partition encrypted with LUKS. That is possible because there is an SSH server (Dropbear) that starts to run from the unencrypted boot partition, so I can SSH it to enter the passphrase which unencrypts the root partition so that the system completely boots up.

In order to do so, since I do not have a static public IP address, I have to configure a Dynamic DNS service and redirect ports.

What I would like to have now is an onion service running in the boot partition too, that way I could remotely unlock the root partition without caring about NAT, ports or DNS, and would get a more private connection too.

How could I install tor in the boot partition?

Thank you

Parodper
Desconectado
Joined: 05/01/2020

O 11/03/21 ás 20:16, name at domain escribiu:
> [Trimmed]
>
> In order to do so, since I do not have a static public IP address, I
> have to configure a Dynamic DNS service and redirect ports.

I'll be the first to admit I am not precisely an expert on Tor, but Tor
also needs that. You would still need to redirect ports and use some
sort of DDNS. Without that there is not any way to contact your computer.

> What I would like to have now is an onion service running in the boot
> partition too, that way I could remotely unlock the root partition
> without caring about NAT, ports or DNS, and would get a more private
> connection too.
>
> How could I install tor in the boot partition?
>
> Thank you

Check out how those tools you use did it and try to replicate that with
torify.

amuza
Desconectado
Joined: 02/12/2018

That's not correct, you don't need any DDNS or port redirection to reach your onion service, actually you don't even need an open port.

amuza
Desconectado
Joined: 02/12/2018

I know there exist these two webpages:

https://nixos.wiki/wiki/Remote_LUKS_Unlocking

https://github.com/grazzolini/mkinitcpio-tor

I would like to apply that to Debian*, but I don't understand everything in those guides, like which files exactly I should edit.

If someone understands any of those two pages and is willing to act as a translator for me, please let me know so that I can start shooting questions!

* I need it for a Debian system now, but once I have it, I guess I will be able to apply it to Trisquel systems without any difference.

koszkonutek
Desconectado
Joined: 03/19/2020

While what you're trying to achieve is definitely possible, I am not sure it really improves security. If an adversary has physical access to your server, they could attempt to hijack your SSH session... I think SecureBoot could be used together with LUKS to improve the defense a bit.

Nonetheless, a different approach, possibly easier than modifying initramfs, comes to my mind. You could use a minimal system on non-encrypted partition to load the main system, utilizing kexec:
https://en.wikipedia.org/wiki/Kexec