Remote disk unlocking: Difference between revisions
imported>MrVanDalo Created page with "= Unlocking your LUKS via SSH and Tor = If you want to unlock your Computer remotely, and you are facing the problem, that you can’t reach your computer before your compute..." |
imported>Mweinelt No edit summary |
||
Line 1: | Line 1: | ||
= Unlocking your LUKS via SSH and Tor = | = Unlocking your LUKS via SSH and Tor = | ||
If you want to unlock your Computer remotely, and you are facing the problem, that you can’t reach your computer before your computer is | If you want to unlock your Computer remotely, and you are facing the problem, that you can’t reach your computer before your computer is unlocked, Tor will help you to reach your computer, even in during the boot process. | ||
== SSH in initrd == | == SSH in initrd == | ||
Line 7: | Line 7: | ||
=== Prepare SSH host keys === | === Prepare SSH host keys === | ||
It is very important that you create your SSH host keys upfront, otherwise you end up connecting to a server on the internet and typing in your | It is very important that you create your SSH host keys upfront, otherwise you end up connecting to a server on the internet and typing in your disk encryption password without authenticating the machine on the remote end! | ||
To create a hostkey for dropbear run | |||
<pre>nix | <pre>nix run nixpkgs.dropbear -c dropbearkey -t ecdsa -f host_ecdsa_key</pre> | ||
==== | ==== Known hosts ==== | ||
It’s a good idea to add the host key (which got printed during creation) to your known_hosts file e.g. <code>~/.ssh/known_hosts</code> or <code>services.openssh.knownHosts</code>. | It’s a good idea to add the host key (which got printed during creation) to your known_hosts file e.g. <code>~/.ssh/known_hosts</code> or <code>services.openssh.knownHosts</code>. | ||
Line 24: | Line 24: | ||
boot.initrd.network.ssh = { | boot.initrd.network.ssh = { | ||
enable = true; | enable = true; | ||
port = 22; | |||
authorizedKeys = "ssh-rsa AAAAyourpublic-key-here...."; | authorizedKeys = "ssh-rsa AAAAyourpublic-key-here...."; | ||
hostECDSAKey = /path/to/host_ecdsa_key; | |||
}; | }; | ||
Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v</code> for that. | |||
<pre>boot.initrd.availableKernelModules = [ "r8169" ];</pre> | <pre>boot.initrd.availableKernelModules = [ "r8169" ];</pre> | ||
== Tor in initrd == | == Tor in initrd == |