Remote disk unlocking: Difference between revisions

(14 intermediate revisions by 5 users not shown)

Line 6:

# ssh-keygen -t ~~rsa~~ -N "" -f /etc/secrets/initrd/~~ssh_host_rsa_key~~

# mkdir -p /etc/secrets/initrd

# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key

</syntaxhighlight>

Line 12:

Line 13:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

~~boot.kernelParams = [ "ip=dhcp" ];~~

boot.initrd = {

availableKernelModules = [ "r8169" ];

~~systemd.users.root.shell = "/bin/cryptsetup-askpass";~~

network = {

enable = true;

udhcpc.enable = true;

flushBeforeStage2 = true;

ssh = {

enable = true;

port = 22;

authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];

hostKeys = [ "/etc/secrets/initrd/~~ssh_host_rsa_key~~" ];

hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];

};

postCommands = ''

# Automatically ask for the password on SSH login

echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile

'';

};

Line 35:

Line 40:

The <code>~~shell~~</code> option is necessary to get a password prompt instead of a shell.

The <code>postCommands</code> option is necessary to get a password prompt instead of a shell.

If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.

If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.

== Usage ==

Line 52:

Line 57:

=== Bcachefs unlocking ===

Unlocking encrypted Bcachefs root filesystems is [https://github.com/NixOS/nixpkgs/issues/291529 not yet supported]. As a workaround, following script can be used as SSH shell, to unlock the disk <code>/dev/vda2</code>.

Unlocking encrypted Bcachefs root filesystems is [https://github.com/NixOS/nixpkgs/issues/291529 not yet supported]. As a workaround, following script, in combination with the setup above, can be used as SSH shell, to unlock the disk <code>/dev/vda2</code>.

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

Line 64:

Line 69:

done

'';

in {

enable = true;

initrdBin = with pkgs; [ keyutils ];

storePaths = ["${askPass}/bin/bcachefs-askpass"];

users.root.shell = "${askPass}/bin/bcachefs-askpass";

};

</nowiki>}}

Using systemd in initrd automatically continues the boot process after the target <code>/sysroot</code> is mounted.

=== Wireguard in initrd ===

Considering you've already enabled the ssh daemon, configured networking (for example with DHCP or static IP) and configured an unlocking command, following additional snippet will enable [[WireGuard]] connectivity to a remote peer while in initrd.<syntaxhighlight lang="nix">

boot.initrd.availableKernelModules = [ "r8169" "wireguard" ];

boot.initrd.systemd = {

enable = true;

network = {

netdevs."30-wg-initrd" = {

netdevConfig = {

Kind = "wireguard";

Name = "wg-initrd";

};

wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };

wireguardPeers = [{

AllowedIPs = [ "10.250.0.1/32" ];

PublicKey = "wUE//Lwi8DZVIvAjIAtMoy+ku+hJ0w28H7ofySwAJRk=";

Endpoint = "198.51.100.1:51821";

PersistentKeepalive = 25;

}];

};

networks."30-wg-initrd" = {

name = "wg-initrd";

addresses = [{ Address = "10.250.0.2/24"; }];

};

boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/private-key";

</syntaxhighlight>First generate a private und public key pair as mentioned in the WireGuard article. Reference the private key in <code>boot.initrd.secrets</code>, in this exmaple <code>/etc/wireguard/private-key</code>. Put the <code>PublicKey</code> of the remote peer into the <code>wireguardPeers</code> array.

Configure the IP addresses used by your initrd peer (<code>10.250.0.2</code>) and the remote peer (<code>10.250.0.1</code>). Also specify the IP and port of the remote peer in <code>Endpoint</code>, in our example <code>198.51.100.1:51821</code>. The remote peer also needs to know address configuration and the public key of the initrd peer.

Last but not least add the <code>wireguard</code> kernel module to <code>boot.initrd.availableKernelModules</code> beside the module required by your network device.

=== Tor in initrd ===

An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/stockholm/~~tree~~/krebs/2configs/tor/initrd.nix~~?id=9919cb25912dfcc50881239f95494dd2f8e7b858~~ krebs/2configs/tor/initrd.nix in stockholm]

An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/makefu/stockholm/src/commit/9b1008814e981dc01afe9ee7446322ad512c1d72/krebs/2configs/tor/initrd.nix krebs/2configs/tor/initrd.nix in stockholm]

==== Prepare the Onion ID ====

Line 87:

Line 123:

* <code>hs_ed25519_secret_key</code>

To create these files~~, you have to run tor once, with a dummy configuration.~~

To create these files:

$ nix-shell -p mkp224o --command "mkp224o-donna snow -n 1 -d ."

~~<pre>DataDirectory /tmp/my~~-~~dummy.tor/~~

set workdir: ./

~~SOCKSPort 127.0.0.1:10050 IsolateDestAddr~~

nixuum6flqthv6ar52j5e2ldulylfsfgezykeg37iy74kqowcp5gxfyd.onion

~~SOCKSPort 127.0.0.1:10063~~

The files you need are in the <code>*.onion</code> directory:

~~HiddenServiceDir /home/tony/tor/onion~~

$ ls *.onion

~~HiddenServicePort 1234 127.0.0.1:1234</pre>~~

hostname hs_ed25519_public_key hs_ed25519_secret_key

~~Let’s asume you created this file in <code>/home/tony/tor/tor.rc</code>.~~

~~Verify that everything is <code>tor.rc</code> awesome, by running <code>tor~~ -~~f /home/tony/tor/tor.rc~~ --~~verify~~-~~config</code>. If you don’t see any errors, just run <code>tor~~ -~~f /home/tony/tor/tor.rc</code>~~.

~~You will get some output like this.~~

~~<pre>May 21 18~~:~~38:39~~.~~000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits~~

~~May 21 18:38:39.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits~~

~~May 21 18:38:39~~.~~000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits~~

~~May 21 18:38:39.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits~~

~~May 21 18:38:39.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit~~

~~May 21 18:38:40.000 [notice] Bootstrapped 100% (done): Done</pre>~~

~~Hit <code>Ctrl-C</code> and the~~ files you need~~, should be~~ in <code>~~/home/tony/tor/~~onion</code>.

==== Setup Tor ====

Line 114:

Line 137:

<syntaxhighlight lang="nix"># copy your onion folder

boot.initrd.secrets = {

"/etc/tor/onion/bootup"; = /home/tony/tor/onion; # maybe find a better spot to store this.

"/etc/tor/onion/bootup" = /home/tony/tor/onion; # maybe find a better spot to store this.

};

Line 183:

Line 206:

<pre>torify ssh root@<onion.id>.onion -p 22 'my-secret-password'</pre>

=== Enable Wifi in initrd ===

Following example configuration by [https://discourse.nixos.org/t/wireless-connection-within-initrd/38317/13 @loutr] enables wifi connections inside initrd. Replace interface name <code>wlp0s20f0u4</code> with the name of your wifi adapter. Depending on your wifi device, you might need to add different kernel modules.<syntaxhighlight lang="nix">

{

boot.initrd = {

# crypto coprocessor and wifi modules

availableKernelModules = [

"ccm"

"ctr"

"iwlmvm"

"iwlwifi"

];

systemd = {

enable = true;

packages = [ pkgs.wpa_supplicant ];

initrdBin = [ pkgs.wpa_supplicant ];

targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ];

# prevent WPA supplicant from requiring `sysinit.target`.

services."wpa_supplicant@".unitConfig.DefaultDependencies = false;

users.root.shell = "/bin/systemd-tty-ask-password-agent";

network = {

enable = true;

networks."10-wlan" = {

matchConfig.Name = "wlp0s20f0u4";

DHCP = "yes";

};

network.ssh = {

enable = true;

port = 22;

hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];

authorizedKeys = default.user.openssh.authorizedKeys.keys;

};

secrets."/etc/wpa_supplicant/wpa_supplicant-wlp0s20f0u4.conf" = /root/secrets/wpa_supplicant.conf;

};

}

</syntaxhighlight>The file <code>wpa_supplicant-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.

[[Category:Server]]

[[Category:Cookbook]]

@@ Line 6: / Line 6: @@
 <syntaxhighlight lang="bash">
-# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
+# mkdir -p /etc/secrets/initrd
+# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
 </syntaxhighlight>
@@ Line 12: / Line 13: @@
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
-boot.kernelParams = [ "ip=dhcp" ];
 boot.initrd = {
    availableKernelModules = [ "r8169" ];
-  systemd.users.root.shell = "/bin/cryptsetup-askpass";
    network = {
      enable = true;
+    udhcpc.enable = true;
+    flushBeforeStage2 = true;
      ssh = {
        enable = true;
        port = 22;
        authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
-       hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ];
+       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
      };
+    postCommands = ''
+      # Automatically ask for the password on SSH login
+      echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile
+    '';
    };
 };
@@ Line 35: / Line 40: @@
-The <code>shell</code> option is necessary to get a password prompt instead of a shell.
+The <code>postCommands</code> option is necessary to get a password prompt instead of a shell.
-If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.
+If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.
 == Usage ==
@@ Line 52: / Line 57: @@
 === Bcachefs unlocking ===
-Unlocking encrypted Bcachefs root filesystems is [https://github.com/NixOS/nixpkgs/issues/291529 not yet supported]. As a workaround, following script can be used as SSH shell, to unlock the disk <code>/dev/vda2</code>.
+Unlocking encrypted Bcachefs root filesystems is [https://github.com/NixOS/nixpkgs/issues/291529 not yet supported]. As a workaround, following script, in combination with the setup above, can be used as SSH shell, to unlock the disk <code>/dev/vda2</code>.
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
@@ Line 64: / Line 69: @@
      done
    '';
-  in {
+in {
-    enable = true;
+  enable = true;
-    initrdBin = with pkgs; [ keyutils ];
+  initrdBin = with pkgs; [ keyutils ];
-    storePaths = ["${askPass}/bin/bcachefs-askpass"];
+  storePaths = ["${askPass}/bin/bcachefs-askpass"];
-    users.root.shell = "${askPass}/bin/bcachefs-askpass";
+  users.root.shell = "${askPass}/bin/bcachefs-askpass";
-  };
 };
 </nowiki>}}
 Using systemd in initrd automatically continues the boot process after the target <code>/sysroot</code> is mounted.
+=== Wireguard in initrd ===
+Considering you've already enabled the ssh daemon, configured networking (for example with DHCP or static IP) and configured an unlocking command, following additional snippet will enable [[WireGuard]] connectivity to a remote peer while in initrd.<syntaxhighlight lang="nix">
+boot.initrd.availableKernelModules = [ "r8169" "wireguard" ];
+boot.initrd.systemd = {
+  enable = true;
+  network = {
+    netdevs."30-wg-initrd" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg-initrd";
+      };
+      wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
+      wireguardPeers = [{
+        AllowedIPs = [ "10.250.0.1/32" ];
+        PublicKey = "wUE//Lwi8DZVIvAjIAtMoy+ku+hJ0w28H7ofySwAJRk=";
+        Endpoint = "198.51.100.1:51821";
+        PersistentKeepalive = 25;
+      }];
+    };
+    networks."30-wg-initrd" = {
+      name = "wg-initrd";
+      addresses = [{ Address = "10.250.0.2/24"; }];
+    };
+  };
+};
+boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/private-key";
+</syntaxhighlight>First generate a private und public key pair as mentioned in the WireGuard article. Reference the private key in <code>boot.initrd.secrets</code>, in this exmaple <code>/etc/wireguard/private-key</code>. Put the <code>PublicKey</code> of the remote peer into the <code>wireguardPeers</code> array.
+Configure the IP addresses used by your initrd peer (<code>10.250.0.2</code>) and the remote peer (<code>10.250.0.1</code>). Also specify the IP and port of the remote peer in <code>Endpoint</code>, in our example <code>198.51.100.1:51821</code>. The remote peer also needs to know address configuration and the public key of the initrd peer.
+Last but not least add the <code>wireguard</code> kernel module to <code>boot.initrd.availableKernelModules</code> beside the module required by your network device.
 === Tor in initrd ===
-An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/stockholm/tree/krebs/2configs/tor/initrd.nix?id=9919cb25912dfcc50881239f95494dd2f8e7b858 krebs/2configs/tor/initrd.nix in stockholm]
+An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/makefu/stockholm/src/commit/9b1008814e981dc01afe9ee7446322ad512c1d72/krebs/2configs/tor/initrd.nix krebs/2configs/tor/initrd.nix in stockholm]
 ==== Prepare the Onion ID ====
@@ Line 87: / Line 123: @@
 * <code>hs_ed25519_secret_key</code>
-To create these files, you have to run tor once, with a dummy configuration.
+To create these files:
+ $ nix-shell -p mkp224o --command "mkp224o-donna snow -n 1 -d ."
-<pre>DataDirectory /tmp/my-dummy.tor/
+ set workdir: ./
-SOCKSPort 127.0.0.1:10050 IsolateDestAddr
+ nixuum6flqthv6ar52j5e2ldulylfsfgezykeg37iy74kqowcp5gxfyd.onion
-SOCKSPort 127.0.0.1:10063
+The files you need are in the <code>*.onion</code> directory:
-HiddenServiceDir /home/tony/tor/onion
+ $ ls *.onion
-HiddenServicePort 1234 127.0.0.1:1234</pre>
+ hostname  hs_ed25519_public_key  hs_ed25519_secret_key
-Let’s asume you created this file in <code>/home/tony/tor/tor.rc</code>.
-Verify that everything is <code>tor.rc</code> awesome, by running <code>tor -f /home/tony/tor/tor.rc --verify-config</code>. If you don’t see any errors, just run <code>tor -f /home/tony/tor/tor.rc</code>.
-You will get some output like this.
-<pre>May 21 18:38:39.000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits
-May 21 18:38:39.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits
-May 21 18:38:39.000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits
-May 21 18:38:39.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
-May 21 18:38:39.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
-May 21 18:38:40.000 [notice] Bootstrapped 100% (done): Done</pre>
-Hit <code>Ctrl-C</code> and the files you need, should be in <code>/home/tony/tor/onion</code>.
 ==== Setup Tor ====
@@ Line 114: / Line 137: @@
 <syntaxhighlight lang="nix"># copy your onion folder
 boot.initrd.secrets = {
-   "/etc/tor/onion/bootup"; = /home/tony/tor/onion; # maybe find a better spot to store this.
+   "/etc/tor/onion/bootup" = /home/tony/tor/onion; # maybe find a better spot to store this.
 };
@@ Line 183: / Line 206: @@
 <pre>torify ssh root@<onion.id>.onion -p 22 'my-secret-password'</pre>
+=== Enable Wifi in initrd ===
+Following example configuration by [https://discourse.nixos.org/t/wireless-connection-within-initrd/38317/13 @loutr] enables wifi connections inside initrd. Replace interface name <code>wlp0s20f0u4</code> with the name of your wifi adapter. Depending on your wifi device, you might need to add different kernel modules.<syntaxhighlight lang="nix">
+{
+  boot.initrd = {
+    # crypto coprocessor and wifi modules
+    availableKernelModules = [
+      "ccm"
+      "ctr"
+      "iwlmvm"
+      "iwlwifi"
+    ];
+    systemd = {
+      enable = true;
+      packages = [ pkgs.wpa_supplicant ];
+      initrdBin = [ pkgs.wpa_supplicant ];
+      targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ];
+      # prevent WPA supplicant from requiring `sysinit.target`.
+      services."wpa_supplicant@".unitConfig.DefaultDependencies = false;
+      users.root.shell = "/bin/systemd-tty-ask-password-agent";
+      network = {
+        enable = true;
+        networks."10-wlan" = {
+          matchConfig.Name = "wlp0s20f0u4";
+          DHCP = "yes";
+        };
+      };
+    };
+    network.ssh = {
+      enable = true;
+      port = 22;
+      hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      authorizedKeys = default.user.openssh.authorizedKeys.keys;
+    };
+    secrets."/etc/wpa_supplicant/wpa_supplicant-wlp0s20f0u4.conf" = /root/secrets/wpa_supplicant.conf;
+  };
+}
+</syntaxhighlight>The file <code>wpa_supplicant-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.
+[[Category:Server]]
+[[Category:Cookbook]]