Jump to content

Remote disk unlocking: Difference between revisions

Remote disk unlocking (view source)

Revision as of 13:55, 14 June 2024

1,805 bytes added ,  14 June
Properly escape greater than signs
VisualWikitext
imported>Onny
m (Onny moved page Remote LUKS Unlocking to Remote disk unlocking: The instruction is now more general and not only for LUKS)
(Properly escape greater than signs)
 
(8 intermediate revisions by 5 users not shown)
Line 6: Line 6:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
</syntaxhighlight>
</syntaxhighlight>


Line 12: Line 12:


{{file|/etc/nixos/configuration.nix|nix|<nowiki>
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd = {
boot.initrd = {
   availableKernelModules = [ "r8169" ];
   availableKernelModules = [ "r8169" ];
   network = {
   network = {
     enable = true;
     enable = true;
    udhcpc.enable = true;
    flushBeforeStage2 = true;
     ssh = {
     ssh = {
       enable = true;
       enable = true;
       port = 22;
       port = 22;
      shell = "/bin/cryptsetup-askpass";
       authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
       authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
       hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ];
       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
     };
     };
    postCommands = ''
      # Automatically ask for the password on SSH login
      echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile
    '';
   };
   };
};
};
Line 35: Line 39:




The <code>shell</code> option is necessary to get a password prompt instead of a shell.
The <code>postCommands</code> option is necessary to get a password prompt instead of a shell.
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.


== Usage ==
== Usage ==
Line 52: Line 56:
=== Bcachefs unlocking ===
=== Bcachefs unlocking ===


Unlocking encrypted Bcachefs root filesystems is [https://github.com/NixOS/nixpkgs/issues/291529 not yet supported]. As a workaround, following script can be used as SSH shell, to unlock the disk <code>/dev/vda2</code>.
Unlocking encrypted Bcachefs root filesystems is [https://github.com/NixOS/nixpkgs/issues/291529 not yet supported]. As a workaround, following script, in combination with the setup above, can be used as SSH shell, to unlock the disk <code>/dev/vda2</code>.


{{file|/etc/nixos/configuration.nix|nix|<nowiki>
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
boot.initrd.systemd = let
boot.initrd.systemd = let
   askPass = pkgs.writeScriptBin "bcachefs-askpass" ''
   askPass = pkgs.writeShellScriptBin "bcachefs-askpass" ''
    #!/bin/sh
     keyctl link @u @s
     keyctl link @u @s
     mkdir /sysroot
     mkdir /sysroot
Line 65: Line 68:
     done
     done
   '';
   '';
  in {
in {
    enable = true;
  enable = true;
    initrdBin = with pkgs; [ keyutils ];
  initrdBin = with pkgs; [ keyutils ];
    storePaths = ["${askPass}/bin/bcachefs-askpass"];
  storePaths = ["${askPass}/bin/bcachefs-askpass"];
    users.root.shell = "${askPass}/bin/bcachefs-askpass";
  users.root.shell = "${askPass}/bin/bcachefs-askpass";
  };
};
};
</nowiki>}}
</nowiki>}}
Line 184: Line 186:


<pre>torify ssh root@<onion.id>.onion -p 22 'my-secret-password'</pre>
<pre>torify ssh root@<onion.id>.onion -p 22 'my-secret-password'</pre>
=== Enable Wifi in initrd ===
Following example configuration by [https://discourse.nixos.org/t/wireless-connection-within-initrd/38317/13 @loutr] enables wifi connections inside initrd. Replace interface name <code>wlp0s20f0u4</code> with the name of your wifi adapter. Depending on your wifi device, you might need to add different kernel modules.<syntaxhighlight lang="nix">
boot.initrd = {
  # crypto coprocessor and wifi modules
  availableKernelModules = [ "ccm" "ctr" "iwlmvm" "iwlwifi" ];
  systemd = {
    enable = true;
    packages = [ pkgs.wpa_supplicant ];
    initrdBin = [ pkgs.wpa_supplicant ];
    targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ];
    # prevent WPA supplicant from requiring `sysinit.target`.
    services."wpa_supplicant@".unitConfig.DefaultDependencies = false;
    users.root.shell = "/bin/systemd-tty-ask-password-agent";
    network = {
      enable = true;
      networks."10-wlan" = {
        matchConfig.Name = "wlp0s20f0u4";
        networkConfig.DHCP = "yes";
      };
      ssh = {
        enable = true;
        port = 22;
        hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];
        authorizedKeys = default.user.openssh.authorizedKeys.keys;
      };
    };
    secrets."/etc/wpa_supplicant/wpa_supplicant-wlp0s20f0u4.conf" = /root/secrets/wpa_supplicant.conf;
  };
</syntaxhighlight>The file <code>wpa_supplicat-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.
[[Category:Server]]
[[Category:Cookbook]]
Teutat3s
3

edits

Retrieved from "https://wiki.nixos.org/wiki/Special:MobileDiff/7691...13172"