Kernel update requires a reboot, which means one has to provide a passphrase to unlock the disk.
To provide a passphrase a keyboard and physical presence are required. This is inconvenient in headless and remote setups.
As a result, people may choose to keep using old kernels, which may lead to security issues.
To address this problem, I created MIT-licesed tool that does the reboot, but asks for the passphrase before, not after.
This way entire operation could be performed remotely via ssh.
This might work out to be a good enough solution instead of opening an sshd during boot to prompt for the passphrase. The need for physical presence isn't completely eliminated, but this should suffice for most situations.
Fantastic work Rapawel! As someone who manages multiple remote Linux servers, I can see the immediate value in Cryptreboot: The practicality of providing the passphrase before rebooting instead of after, is an innovative solution that addresses a significant inconvenience in headless setups. Your tool seems lika a solid step towards mitigating potential security risks caused by outdated kernels.
3 comments
[ 0.20 ms ] story [ 17.8 ms ] threadTo address this problem, I created MIT-licesed tool that does the reboot, but asks for the passphrase before, not after. This way entire operation could be performed remotely via ssh.
If you are interested in details, you can read my post about it here: https://blog.pawelpokrywka.com/p/rebooting-linux-with-encryp...
I hope cryptreboot will help people to better secure their systems. If you have questions or feedback, I can answer them here in comments.