On 06/23/2015 06:52 PM, Christian Seiler wrote: > On 06/23/2015 12:59 PM, Erwan David wrote: >> Note that I use policy-rc.d to check whether the encrypted disk is >> mounted for the daemons that need it (it allows not to change the init >> files) > > That works? policy-rc.d should only affect invoke-rc.d, which shouldn't > be relevant at boot, but only in maintainer scripts. (AFAIK at least.) > >> For what I need to know : I have a headless machine with an encrypted disk. >> I cannot ask the password on console, so >> 1) at boot I do not mount the encrypted disk, and start a minimal set >> of daemons, among them the ssh daemon. >> >> 2) I ssh to the machine then mount encrypted disk and start remaining >> daemons. >> >> How can I do this with systemd ? > > This is a great question because it presents a nice little problem that > covers quite a few of topics regarding systemd. I've sat down and > solved your little problem from a systemd perspective, and hopefully my > solution will help you in understanding how systemd works.
In case anybody is interested: since I've put quite a bit of work into implementing / testing this, I've now written it up as a blog post (typeset better than an email). I've also put in a couple of links, and especially also mentioned that ideally, one would want to do this from the initrd and not from a running systemd, see [1] for example. Still, since it tackles a couple of systemd concepts and how they interact with each other, it could be useful just for furthering understanding, so here it is: https://blog.iwakd.de/headless-luks-decryption-via-ssh Christian [1] https://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/ (Even though the URL says Wheezy, it's been updated to also support Jessie.)
signature.asc
Description: OpenPGP digital signature
