6

I'm setting up a home server which has full disk encryption enabled. In order to recover from a power failure the machine automatically reboots. I'm also able to unlock the disk remotely using ssh according to this topic: SSH to decrypt encrypted LVM during headless server boot?

The only thing missing is that I'm not informed when the machine reboots so that I know when to unlock the disk again.

Is there some kind of built-in functionality in GRUB2 that helps me achieve this or is my only option to set up an external site monitoring service?

Community
  • 1
user73856
  • 63
  • 1
    To me, sending an email requires network access, a SMTP server, and possibly an API to manipulate it. Those things can only be accessed with a loaded operating system... which you don't have at GRUB (since it's actually the point of it). This may require another (functional) machine which monitors the first one. – John WH Smith Jun 28 '14 at 11:34
  • When you say "full disk" do you mean every disk and not just the volume holding the production data? – Bratchley Jun 28 '14 at 13:25
  • 1
    As including a ssh-server into the startup process is possible, sending an email didn't seem to be completely out of the question. – user73856 Jun 28 '14 at 19:32
  • That works because it builds Dropbear SSH into the initramfs. It really seems advisable to me that you just encrypt your data volume (and not the boot volume) and configure a noauto filesystem. At that point you can just ssh in and mount the encrypted filesystem in much the same way as you're wanting. You can even have a mail command inside rc.local to send off that email. – Bratchley Jun 28 '14 at 23:25

1 Answers1

3

This kind of functionality is far too advanced for GRUB. GRUB can't even talk over the network except for TFTP.

The SSH server that you saw runs under Linux. It is started early during the boot process, after the kernel has booted but before mounting the root filesystem. Linux runs programs from the initramfs (or initrd on older systems) before mounting the root filesystem; that's how you get a password prompt on the console when the root filesystem is encrypted, for example.

Initramfs typically have a set of BusyBox utilities. BusyBox can't send mail, but suggests the ssmtp utility as a companion for this task. You'll need to build a statically compiled version.

An alternative approach could be to install the dropbear client and send the email (or other form of notification) from another machine. You can use the command= directive in an authorized_keys file to restrict the use of a key to one specific command.

Yet another approach, if the machine is on a network segment which is protected from intrusion, could be to ping a dedicated port, or “port knock” some sequence, or send a ping with some constant payload.

Community
  • 1
Gilles 'SO- stop being evil'
  • 829,060
  • Do you have an example for ssmtp usage with busybox or an updated solution? (The ssmtp link on busybox tiny utils page is down and the package is orphaned) – finefoot Nov 16 '19 at 12:47