0

My organisation is setting up Debian Buster host with Debian buster vms running in a quemu KVM environment. We are also planning on setting up the VMs using an encrypted partition. Just wondering if anyone knows of a way of injecting the passphrase so that qemu can boot the vms without user intervention. My research so far suggests that is a no but just would like some confirmation / clarification on this.

Seamus Lee
  • 101
  • Hi Seamus. I can't answer the question you've asked. However, two related thoughts for you, if I may. (1) Consider why you are encrypting the VMs' storage (no need to answer publicly). Make sure you have a valid reason that still applies to a VM rather than a physical server. (2) It might be easier - and no less safe - to encrypt the host storage rather than the individual VMs. Depending on the business needs in #1 of course. – Chris Davies Jul 13 '20 at 11:49
  • Countless ways to do it. You can have qemu enter the passphrase by keyboard (qemu monitor sendkey), add a key store device, supply it over serial line, etc. or otherwise just embed it into the initramfs, have the VM derive a key on its own, over network / ssh, etc. so this is a too broad question for one specific answer. – frostschutz Jul 13 '20 at 13:10
  • Does this help? https://unix.stackexchange.com/questions/5017/ssh-to-decrypt-encrypted-lvm-during-headless-server-boot – andreoss Jul 13 '20 at 17:00

1 Answers1

0

IIUC then yes, there's a tool called clevis. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-policy-based_decryption

Jiri B
  • 541
  • 1
  • 7
  • 16