Re: [Qemu-discuss] problem unlocking encrypted volume during boot

[Jakob Bohm]

On 6/27/2012 3:08 PM, Leo Butler wrote:
> Hi,
>
> I am using qemu on debian testing to run debian stable. I unwisely
> installed my os with an encrypted partition. This was unwise because
> during the boot process when the encryption key is requested, I must go
> through a bunch of magic to ensure it is read/passed correctly, and with
> the -curses option the passphrase is never read/passed correctly.
>
> Even worse, when I copy the image file to another debian testing
> machine, the passphrase is never read/passed correctly.
>
> I wonder if there might be a good work-around for this? Any suggestions
> are welcome.
>
> ----------
> For the record, here is how I launch the machine:
> qemu -hda ./debian-stable.img -m 1024 -redir tcp:2222::22\
>   -redir tcp:8080::80
My suggestion:

1. Reconfigure the VM to use a serial console at boot, not the virtual
VGA console, but leave the VGA consoles available for ordinary work after
boot.

2. Pass "-serial stdio" to qemu and pipe in the secret key from some
trusted mechanism

logrotate -f ./debian-stable.logrotate.conf -s 
./debian-stable.logrotate.state
( echo "Comands before passphrase" ; \
  /usr/local/bin/extract-secret-passphrase debian-stable ; \
  echo "Commands always after passphrase" ; \
  cat | \
qemu .... -serial stdio 2>&1 | \
tee ./debian-stable.bootlog

The cat and tee are there so you can see and respond to any unexpected boot
time prompts, such as fsck failures asking for root login.

I'll leave the extract-secret-passphrase mechanism up to you, it might be
an SUID binary which extracts data from a root-only file, or it could be
anything else you consider sufficiently secure.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded