Hey everyone, here’s an idea, what do you think? (Please stop me…)
I have a few remote servers where disk encryption is only a moderately important measure; I definitely want to keep it but I’m also annoyed by having to ssh into it during the initrd-phase to provide a passkey on every reboot. What I would like is to get a notification with a link to my idp for some device flow, allowing me to authorize the server to obtain the secrets necessary for decryption.
As far as I can tell, this hasn’t been done before, or have I missed something? A naive idea would be to have custom oidc-claims for the different servers where the value is the luks-passphrase. Feels like a bad idea, though. Any ideas on the details as to how? I obviously don’t want to bloat my initrd-image, so a bash script using curl would be ideal.
Yes, I was thinking about storing encrypted keys, but still, using claims is clearly just wrong… Using a vault to store the key is probably the way to go, even though it adds another service the setup depends on.
A fall-back to the current way of unlocking the volume would probably be a good idea. It wouldn’t be fun to lose access to something because a cloud service went down or access to it was lost etc.
Definitely! I have bmc/kvm everywhere (well, everywhere that matters).
I have talked myself out of this (for now), though. I think if I ever find the time to revisit this, I will try to to it by injecting some oidc-based approval (memo to myself: ciba flow?) into something like clevis/tang.