Most active commenters
  • pfexec(3)

←back to thread

Apple: SSH and FileVault

(keith.github.io)
507 points ingve | 18 comments | 18 Sep 25 20:15 UTC | HN request time: 0.2s | source | bottom
1. pfexec ◴[18 Sep 25 21:37 UTC] No.45295315[source]
Friendly reminder that you've been able to automatically unlock fully-encrypted Linux systems via TPM for years since it was added to systemd...

(Here's a nickel kid...)

replies(7): >>45295330 #>>45295407 #>>45295507 #>>45295760 #>>45295936 #>>45299627 #>>45311400 #
2. trueismywork ◴[18 Sep 25 21:38 UTC] No.45295330[source]
Link?
replies(1): >>45295369 #
3. pfexec ◴[18 Sep 25 21:41 UTC] No.45295369[source]
https://www.freedesktop.org/software/systemd/man/251/systemd...
4. rnhmjoj ◴[18 Sep 25 21:45 UTC] No.45295407[source]
Also possible without a TPM: you just put openssh into the initrd, so you can log in and type the password to unlock the root.

(It's technically not full-disk encryption because the kernel and initrd are in plaintext, but everything else is)

replies(1): >>45295435 #
5. pfexec ◴[18 Sep 25 21:48 UTC] No.45295435[source]
What do you authenticate against? Your shadow file is in the unencrypted area leaving it susceptible to offline attack.

With the TPM you can fully disable password auth over SSH.

replies(2): >>45295467 #>>45299124 #
6. rnhmjoj ◴[18 Sep 25 21:52 UTC] No.45295467{3}[source]
Correct, someone with physical access could run a MitM attack and steal your passphrase. I just find this extremely unlikely, so I honestly don't care.
7. xrisk ◴[18 Sep 25 21:56 UTC] No.45295507[source]
This is not the same thing is it? Arch Wiki mentions something about having to install a separate ssh server into initramfs to support ssh’ing into fully encrypted systems.

systemd-cryptenroll seems to be about storing encryption keys into the TPM so that they can be decrypted automatically at boot (?)

Apologies if I misunderstood something.

replies(2): >>45295907 #>>45296423 #
8. kwk1 ◴[18 Sep 25 22:23 UTC] No.45295760[source]
More similar to the usage pattern in the original post is "dropbear-initramfs", e.g. https://wiki.debian.org/DropBear
9. epistasis ◴[18 Sep 25 22:41 UTC] No.45295907[source]
I'm looking for what you're describing, some way to remote unlock a system. Is this the wiki page you're talking about?

https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote...

However, I'd prefer that the box is not on the general internet, but only over my tailscale net. I wonder if tailscale will also fit in the initramfs...

replies(1): >>45296075 #
10. adestefan ◴[18 Sep 25 22:45 UTC] No.45295936[source]
But that uses TPM backed keys only protected by the TPM PSRs. Someone could still swipe your box and unlock the disk.
11. xrisk ◴[18 Sep 25 23:03 UTC] No.45296075{3}[source]
Yeah I was looking at that page. Found this btw: https://github.com/darkrain42/tailscale-initramfs
replies(1): >>45296219 #
12. epistasis ◴[18 Sep 25 23:22 UTC] No.45296219{4}[source]
Thanks! I'm just getting back into Linux boot issues for the first time in multiple decades, and boy is it different than I remember.

It's pretty incredible to be able to dump all this stuff directly into the boot system. Now to see what Omarchy has done to give the fancy LUKS password entry...

13. conradev ◴[18 Sep 25 23:51 UTC] No.45296423[source]
and I imagine that the initramfs is not encrypted and trivially modifiable?

Apple is able to achieve this securely because their devices are not fully encrypted. They can authenticate/sign the unencrypted system partition.

replies(1): >>45296761 #
14. klooney ◴[19 Sep 25 00:51 UTC] No.45296761{3}[source]
https://mastodon.social/@pid_eins/113404099228886304

You auth the initrd too

replies(1): >>45297153 #
15. conradev ◴[19 Sep 25 01:53 UTC] No.45297153{4}[source]
This is super cool, thanks for the link! I’m glad they were able to leverage the TPM
16. auguzanellato ◴[19 Sep 25 08:03 UTC] No.45299124{3}[source]
My Raspberry Pi some time ago had a setup where only public key auth was enabled for LUKS unlock, so I only had to have an authorized_keys file unencrypted.
17. leakycap ◴[19 Sep 25 09:19 UTC] No.45299627[source]
If this worked as well/seamlessly across updates and hardware revisions as your friendly reminder makes it seem, today's Mac news wouldn't be all over the place getting praise.
18. Dylan16807 ◴[20 Sep 25 08:02 UTC] No.45311400[source]
If you want it to automatically unlock via TPM then you turn filevault off. This is protection on top of that.