Hi there ! I have a little box at home, hosting some little services for personal use under freebsd with a full disk encryption (geli). I’m never at home and long power outage often occurs so I always need to come back home to type my passphrase to decrypt the disk.
I was searching this week a solution to do it remotely and found the “poor-guy-kvm” solutions turning a Raspberry like board (beaglebone black in my case) in a hid keyboard. It works fine once the computer has booted but once reboot when the passphrase is asked before it loads the loader menu, nothing. When I plug an ordinary USB keyboard I can type my passphrase so USB module is loaded.
Am I missing something ? Am I trying something impossible ?
(I could’ve asked on freebsd forum but… Have to suscribe, presentation, etc… Long journey)
Yes. That is possible. However if the hardware configuration/software configuration changes the TPM should trip and prevent decryption.
The attackers would have to break you ssh/terminal/lock screen/other insecure software. However code injection should be impossible because you used custom secure boot keys and ideally a signed unified kernel image. (Can’t even change kernel params without tripping TPM.)
You would not be safe if they did a bus listening attack or if your shell pwd is not safe. If that is your threat vector this may not be a good option for you.