Title: Automatic prompt to unlock remote encrypted partitions
       Author: Solène
       Date: 20 November 2022
       Tags: openbsd security networking ssh nocloud
       Description: In this article, you will learn how to make OpenBSD
       systems to prompt a passphrase on your local workstation in order to
       unlock an encrypted partition.
       
       # Introduction
       
       I have remote systems that only have /home as encrypted partitions, the
       reason is it ease a lot of remote management without a serial access,
       it's not ideal if you have critical files but in my use case, it's good
       enough.
       
       In this blog post, I'll explain how to get the remote system to prompt
       you the unlocking passphrase automatically when it boots.  I'm using
       OpenBSD in my example, but you can achieve the same with Linux and
       cryptsetup (LUKS), if you want to push the idea on Linux, you could do
       this from the initramfs to unlock your root partition.
       
       # Requirement
       
       * OpenBSD
       * a non-root encrypted partition
       * a workstation with ssh that is reachable by the remote server (VPN,
       NAT etc…)
       
       # Setup
       
       1. install the package `zenity` on your workstation
       2. on the remote system generate ssh-keys without a passphrase on your
       root account using `ssh-keygen`
       3. copy the content of `/root/.ssh/id_rsa.pub` for the next step (or
       the public key file if you chose a different key algorithm)
       4. edit `~/.ssh/authorized_keys` on your workstation
       5. create a new line with: `restrict,command="/usr/local/bin/zenity
       --forms --text='Unlock t400 /home' --add-password='passphrase'
       --display=:0" $THE_PUBLIC_KEY_HERE`
       
       The new line allows the ssh key to connect to our local user, but it
       gets restricted to a single command: zenity, which is a GUI dialog
       program used to generate forms/dialogs in X sessions.
       
       In the example, this creates a simple form in an X window with a label
       "Unlock t400 /home" and add a field password hiding typed text, and
       showing it on display :0 (the default one).  Upon connection from the
       remote server, the form is displayed, you can type in and validate,
       then the content is passed to stdout on the remote server, to the
       command bioctl which unlocks the disk.
       
       On the server, creates the file `/etc/rc.local` with the following
       content (please adapt to your system):
       
       ```shell script
       #!/bin/sh
       
       ssh solene@10.42.42.102 | bioctl -s -c C -l 1a52f9ec20246135.k softraid0
       if [ $? -eq 0 ]
       then
           mount /home
       fi
       ```
       
       In this script, `solene@10.42.42.102` is my user@laptop-address, and
       `1a52f9ec20246135.k` is my encrypted partition.  The file
       `/etc/rc.local` is run at boot after most of the services, including
       networking.
       
       You should get a display like this when the system boots:
       
 (IMG) a GUI window asking for a passphrase to unlock the /home partition of the computer named T400
       
       # Conclusion
       
       With this simple setup, I can reboot my remote systems and wait for the
       passphrase to be asked quite reliably.  Because of ssh, I can
       authenticate which system is asking for a passphrase, and it's sent
       encrypted over the network.
       
       It's possible to get more in depth in this idea by using a local
       password database to automatically pick the passphrase, but you lose
       some kind of manual control, if someone steals a machine you may not
       want to unlock it after all ;)  It would also be possible to prompt a
       Yes/No dialog before piping the passphrase from your computer, do what
       feels correct for you.