Remote unlocking with Booster

Unlocking with SSH

The use of encryption is highly recommended on mobile devices, desktop platforms, and servers. However, the default configuration often requires physical access to remote platforms. A solution proposed in archwiki/dm-crypt/specialities uses an SSH server during boot-up. This can be achieved using TinySSH, Dropbear, or OpenSSH.

The main advantage of this approach is its simplicity for the end-user, leveraging a commonly used remote shell protocol (SSH). During boot-up, users connect to the server with a certificate and provide the encryption passphrase. While this hacky approach using SSH servers has some advantages, it also presents several disadvantages, primarily due to its niche nature and lack of widespread support. It relies on shell script hooks to run the server and transfer the passphrase, which can break during major updates.

Unlocking with Booster, Clevis, and Tang

Booster is a recent kernel initial image generator written in Go, which includes Clevis and Tang. The former is an encryption framework, while the latter provides an encrypted communication protocol without relying on third-party services. Clevis supports TPM and remote unlocking using Tang.

Initially, Tang was used as an alternative to TPM, where the passphrase would be automatically recovered at boot by querying a remote Tang service already registered. However, a reverse approach has been developed, where the Tang server is run during boot-up to accept and provide passphrases when clients with valid keys connect.

Limitations

All methods presented above have limitations when it comes to physical access to the computer. A hostile agent can replace the bootloader to recover the passphrase during unlocking, making these methods not entirely safe. Additionally, they are susceptible to man-in-the-middle attacks.