NixOS Wiki

Remote disk unlocking: Difference between revisions

← Older edit
Visual
imported>0x4A6F
No edit summary
Enable Wifi in initrd: fix config and reformat
 
(36 intermediate revisions by 16 users not shown)
Line 1: Line 1:
= Unlocking your LUKS via SSH and Tor =
If you want to unlock your computer remotely via SSH or even through Tor, and you are facing the problem, that you can’t reach your computer before your computer is unlocked. Tor will help you to reach your computer, even during the boot process.


If you want to unlock your computer remotely, and you are facing the problem, that you can’t reach your computer before your computer is unlocked, Tor will help you to reach your computer, even during the boot process.
== Setup ==


== SSH in initrd ==
Generate host key for the SSH daemon which will run in initrd during boot


=== Prepare SSH host keys ===
<syntaxhighlight lang="bash">
# mkdir -p /etc/secrets/initrd
# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
</syntaxhighlight>


It is very important that you create your SSH host keys upfront, otherwise you end up connecting to a server on the internet and typing in your disk encryption password without authenticating the machine on the remote end!
Enable SSH daemon in initrd


To create a hostkey for dropbear run
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
boot.initrd = {
  availableKernelModules = [ "r8169" ];
  network = {
    enable = true;
    udhcpc.enable = true;
    flushBeforeStage2 = true;
    ssh = {
      enable = true;
      port = 22;
      authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
      hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
    };
    postCommands = ''
      # Automatically ask for the password on SSH login
      echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile
    '';
  };
};
</nowiki>}}
 
Adapt following parts according to your setup
 
* '''authorizedKeys''': Add the SSH public keys for the users which should be able to authenticate to the SSH daemon to the <code>authorizedKeys</code> option.
* '''availableKernelModules''': Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that.
* '''kernelParams''': Instead of using DHCP you could also configure a static IP, for example with kernel parameter <code>boot.kernelParams = [ "ip=10.25.0.2::10.25.0.1:255.255.255.0:myhost::none" ];</code>, where <code>10.25.0.2</code> is the client IP, <code>10.25.0.1</code> is the gateway IP. See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter. When using DHCP, make sure your computer is always attached to the network and is able to get an IP adress, or the boot process will hang.
 
 
The <code>postCommands</code> option is necessary to get a password prompt instead of a shell.
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.
 
== Usage ==
 
After reboot, connect to the initrd SSH daemon using
 
<syntaxhighlight lang="bash">
# ssh root@10.25.0.2
</syntaxhighlight>
 
Where <code>10.25.0.2</code> is the IP which is acquired via DHCP or configured via the kernel parameter.
 
== Tips and tricks ==


<pre>nix run nixpkgs.dropbear -c dropbearkey -t ecdsa -f host_ecdsa_key</pre>
=== Bcachefs unlocking ===
==== Known hosts ====


It’s a good idea to add the host key (which got printed during creation) to your known_hosts file e.g. <code>~/.ssh/known_hosts</code> or <code>services.openssh.knownHosts</code>.
Unlocking encrypted Bcachefs root filesystems is [https://github.com/NixOS/nixpkgs/issues/291529 not yet supported]. As a workaround, following script, in combination with the setup above, can be used as SSH shell, to unlock the disk <code>/dev/vda2</code>.


=== Set up SSH in initrd ===
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
boot.initrd.systemd = let
  askPass = pkgs.writeShellScriptBin "bcachefs-askpass" ''
    keyctl link @u @s
    mkdir /sysroot
    until bcachefs mount /dev/vda2 /sysroot
    do
      sleep  1
    done
  '';
in {
  enable = true;
  initrdBin = with pkgs; [ keyutils ];
  storePaths = ["${askPass}/bin/bcachefs-askpass"];
  users.root.shell = "${askPass}/bin/bcachefs-askpass";
};
</nowiki>}}


Setting up ssh is very easy.
Using systemd in initrd automatically continues the boot process after the target <code>/sysroot</code> is mounted.


<pre># ssh setup
=== Wireguard in initrd ===
boot.initrd.network.enable = true;
Considering you've already enabled the ssh daemon, configured networking (for example with DHCP or static IP) and configured an unlocking command, following additional snippet will enable [[WireGuard]] connectivity to a remote peer while in initrd.<syntaxhighlight lang="nix">
boot.initrd.network.ssh = {
boot.initrd.availableKernelModules = [ "r8169" "wireguard" ];
boot.initrd.systemd = {
   enable = true;
   enable = true;
   port = 22;
   network = {
  authorizedKeys = &quot;ssh-rsa AAAAyourpublic-key-here....&quot;;
    netdevs."30-wg-initrd" = {
  hostECDSAKey = /path/to/host_ecdsa_key;
      netdevConfig = {
        Kind = "wireguard";
        Name = "wg-initrd";
      };
      wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
      wireguardPeers = [{
        AllowedIPs = [ "10.250.0.1/32" ];
        PublicKey = "wUE//Lwi8DZVIvAjIAtMoy+ku+hJ0w28H7ofySwAJRk=";
        Endpoint = "198.51.100.1:51821";
        PersistentKeepalive = 25;
      }];
    };
    networks."30-wg-initrd" = {
      name = "wg-initrd";
      addresses = [{ Address = "10.250.0.2/24"; }];
    };
  };
};
};
</pre>
boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/private-key";
</syntaxhighlight>First generate a private und public key pair as mentioned in the WireGuard article. Reference the private key in <code>boot.initrd.secrets</code>, in this exmaple <code>/etc/wireguard/private-key</code>. Put the <code>PublicKey</code> of the remote peer into the <code>wireguardPeers</code> array.
 
Configure the IP addresses used by your initrd peer (<code>10.250.0.2</code>) and the remote peer (<code>10.250.0.1</code>). Also specify the IP and port of the remote peer in <code>Endpoint</code>, in our example <code>198.51.100.1:51821</code>. The remote peer also needs to know address configuration and the public key of the initrd peer.


Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v</code> for that.
Last but not least add the <code>wireguard</code> kernel module to <code>boot.initrd.availableKernelModules</code> beside the module required by your network device.


<pre>boot.initrd.availableKernelModules = [ &quot;r8169&quot; ];</pre>
=== Tor in initrd ===


== Tor in initrd ==
An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/makefu/stockholm/src/commit/9b1008814e981dc01afe9ee7446322ad512c1d72/krebs/2configs/tor/initrd.nix krebs/2configs/tor/initrd.nix in stockholm]


=== Prepare the Onion ID ===
==== Prepare the Onion ID ====


You need 3 files to create an onion id (a.k.a. tor hidden service).
You need 3 files to create an onion id (a.k.a. tor hidden service).
Line 44: Line 123:
* <code>hs_ed25519_secret_key</code>
* <code>hs_ed25519_secret_key</code>


To create theses files, you have to run tor once, with a dummy configuration.
To create these files, you have to run tor once, with a dummy configuration.


<pre>DataDirectory /tmp/my-dummy.tor/
<pre>DataDirectory /tmp/my-dummy.tor/
Line 65: Line 144:
Hit <code>Ctrl-C</code> and the files you need, should be in <code>/home/tony/tor/onion</code>.
Hit <code>Ctrl-C</code> and the files you need, should be in <code>/home/tony/tor/onion</code>.


=== Setup Tor ===
==== Setup Tor ====


Now that you have your 3 files, you have to script a bit, but it’s not too complicated.
Now that you have your 3 files, you have to script a bit, but it’s not too complicated.


<pre># copy your onion folder
<syntaxhighlight lang="nix"># copy your onion folder
boot.initrd.secrets = {
boot.initrd.secrets = {
   &quot;/etc/tor/onion/bootup&quot; = /home/tony/tor/onion; # maybe find a better spot to store this.
   "/etc/tor/onion/bootup"; = /home/tony/tor/onion; # maybe find a better spot to store this.
};
};


Line 81: Line 160:
# start tor during boot process
# start tor during boot process
boot.initrd.network.postCommands = let
boot.initrd.network.postCommands = let
   torRc = (pkgs.writeText &quot;tor.rc&quot; ''
   torRc = (pkgs.writeText "tor.rc" ''
     DataDirectory /etc/tor
     DataDirectory /etc/tor
     SOCKSPort 127.0.0.1:9050 IsolateDestAddr
     SOCKSPort 127.0.0.1:9050 IsolateDestAddr
Line 89: Line 168:
   '');
   '');
in ''
in ''
   echo &quot;tor: preparing onion folder&quot;
   echo "tor: preparing onion folder"
   # have to do this otherwise tor does not want to start
   # have to do this otherwise tor does not want to start
   chmod -R 700 /etc/tor
   chmod -R 700 /etc/tor


   echo &quot;make sure localhost is up&quot;
   echo "make sure localhost is up"
   ip a a 127.0.0.1/8 dev lo
   ip a a 127.0.0.1/8 dev lo
   ip link set lo up
   ip link set lo up


   echo &quot;tor: starting tor&quot;
   echo "tor: starting tor"
   tor -f ${torRc} --verify-config
   tor -f ${torRc} --verify-config
   tor -f ${torRc} &amp;
   tor -f ${torRc} &
'';</pre>
'';</syntaxhighlight>
That was it. Tor should be running during your boot process.
That was it. Tor should be running during your boot process.


=== Setup ntpdate ===
==== Setup haveged ====
 
If your system doesn't gather enough entropy the startup time of tor is rather long (2:42 vs 0:06 on a RPi 4b). Counter it by starting <code>haveged</code>.
 
Append in your <code>boot.initrd.extraUtilsCommands</code>.
<pre>
  copy_bin_and_libs ${pkgs.haveged}/bin/haveged
</pre>
 
Then use this snippet before <code>echo "tor: starting tor"</code> in your <code>boot.initrd.network.postCommands</code>.
<pre>
      echo "haveged: starting haveged"
      haveged -F &
</pre>
 
==== Setup ntpdate ====


If your system doesn't utilize a RTC you've to ensure time is correctly set before startup of tor.
If your system doesn't utilize a RTC you've to ensure time is correctly set before startup of tor.
Line 112: Line 206:
</pre>
</pre>


Then use this snippet before <code>echo &quot;tor: starting tor&quot;</code> in your <code>boot.initrd.network.postCommands</code>.
Then use this snippet before <code>echo "tor: starting tor"</code> in your <code>boot.initrd.network.postCommands</code>.
<pre>
<pre>
       echo "ntp: starting ntpdate"
       echo "ntp: starting ntpdate"
Line 120: Line 214:
</pre>
</pre>


== Unlock your LUKS via SSH and Tor ==
==== Usage ====


When your computer boots, and asks for the LUKS password. Now you can unlock your encrypted Hard drive using:
When your computer boots, and asks for the LUKS password. Now you can unlock your encrypted Hard drive using:


<pre>torify ssh root@&lt;onion.id&gt;.onion -p 22 'echo &quot;my-secret-password&quot; &gt; /crypt-ramfs/passphrase'</pre>
<pre>torify ssh root@<onion.id>.onion -p 22 'my-secret-password'</pre>
 
=== Enable Wifi in initrd ===
Following example configuration by [https://discourse.nixos.org/t/wireless-connection-within-initrd/38317/13 @loutr] enables wifi connections inside initrd. Replace interface name <code>wlp0s20f0u4</code> with the name of your wifi adapter. Depending on your wifi device, you might need to add different kernel modules.<syntaxhighlight lang="nix">
{
  boot.initrd = {
    # crypto coprocessor and wifi modules
    availableKernelModules = [
      "ccm"
      "ctr"
      "iwlmvm"
      "iwlwifi"
    ];
 
    systemd = {
      enable = true;
 
      packages = [ pkgs.wpa_supplicant ];
      initrdBin = [ pkgs.wpa_supplicant ];
      targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ];
 
      # prevent WPA supplicant from requiring `sysinit.target`.
      services."wpa_supplicant@".unitConfig.DefaultDependencies = false;
 
      users.root.shell = "/bin/systemd-tty-ask-password-agent";
 
      network = {
        enable = true;
        networks."10-wlan" = {
          matchConfig.Name = "wlp0s20f0u4";
          DHCP = "yes";
        };
      };
    };
 
    network.ssh = {
      enable = true;
      port = 22;
      hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];
      authorizedKeys = default.user.openssh.authorizedKeys.keys;
    };
 
    secrets."/etc/wpa_supplicant/wpa_supplicant-wlp0s20f0u4.conf" = /root/secrets/wpa_supplicant.conf;
  };
}
</syntaxhighlight>The file <code>wpa_supplicant-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.
[[Category:Server]]
[[Category:Cookbook]]
Retrieved from "https://wiki.nixos.org/wiki/Remote_disk_unlocking"