Hey everyone, here’s an idea, what do you think? (Please stop me…)
I have a few remote servers where disk encryption is only a moderately important measure; I definitely want to keep it but I’m also annoyed by having to ssh into it during the initrd-phase to provide a passkey on every reboot. What I would like is to get a notification with a link to my idp for some device flow, allowing me to authorize the server to obtain the secrets necessary for decryption.
As far as I can tell, this hasn’t been done before, or have I missed something? A naive idea would be to have custom oidc-claims for the different servers where the value is the luks-passphrase. Feels like a bad idea, though. Any ideas on the details as to how? I obviously don’t want to bloat my initrd-image, so a bash script using curl would be ideal.
I was sorting somethingting similar some time ago with https://www.dwarmstrong.org/remote-unlock-dropbear/
Also there is https://github.com/latchset/tang and https://github.com/latchset/clevis
Then I changed it so my server boots and offers basic functionality like DNS and any encrypted data would wait until I unlock it. When I fiddle with it could be annoying, but otherwise works very well considering I need to unlock it just a few times a year.