Remote disk unlocking: Difference between revisions
imported>Fadenb syntaxHighlight a code block & fix HTML entities for double quotes that somehow showed up in the process |
Properly escape greater than signs |
||
(12 intermediate revisions by 6 users not shown) | |||
Line 6: | Line 6: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# ssh-keygen -t | # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 12: | Line 12: | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
boot.initrd = { | boot.initrd = { | ||
availableKernelModules = [ "r8169" ]; | availableKernelModules = [ "r8169" ]; | ||
network = { | network = { | ||
enable = true; | enable = true; | ||
udhcpc.enable = true; | |||
flushBeforeStage2 = true; | |||
ssh = { | ssh = { | ||
enable = true; | enable = true; | ||
port = 22; | port = 22; | ||
authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; | authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; | ||
hostKeys = [ "/etc/secrets/initrd/ | hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; | ||
}; | }; | ||
postCommands = '' | |||
# Automatically ask for the password on SSH login | |||
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile | |||
''; | |||
}; | }; | ||
}; | }; | ||
Line 35: | Line 39: | ||
The <code> | The <code>postCommands</code> option is necessary to get a password prompt instead of a shell. | ||
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | ||
== Usage == | == Usage == | ||
Line 49: | Line 53: | ||
== Tips and tricks == | == Tips and tricks == | ||
=== Bcachefs unlocking === | |||
Unlocking encrypted Bcachefs root filesystems is [https://github.com/NixOS/nixpkgs/issues/291529 not yet supported]. As a workaround, following script, in combination with the setup above, can be used as SSH shell, to unlock the disk <code>/dev/vda2</code>. | |||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | |||
boot.initrd.systemd = let | |||
askPass = pkgs.writeShellScriptBin "bcachefs-askpass" '' | |||
keyctl link @u @s | |||
mkdir /sysroot | |||
until bcachefs mount /dev/vda2 /sysroot | |||
do | |||
sleep 1 | |||
done | |||
''; | |||
in { | |||
enable = true; | |||
initrdBin = with pkgs; [ keyutils ]; | |||
storePaths = ["${askPass}/bin/bcachefs-askpass"]; | |||
users.root.shell = "${askPass}/bin/bcachefs-askpass"; | |||
}; | |||
</nowiki>}} | |||
Using systemd in initrd automatically continues the boot process after the target <code>/sysroot</code> is mounted. | |||
=== Tor in initrd === | === Tor in initrd === | ||
Line 117: | Line 145: | ||
echo "tor: starting tor" | echo "tor: starting tor" | ||
tor -f ${torRc} --verify-config | tor -f ${torRc} --verify-config | ||
tor -f ${torRc} & | tor -f ${torRc} & | ||
'';</syntaxhighlight> | '';</syntaxhighlight> | ||
That was it. Tor should be running during your boot process. | That was it. Tor should be running during your boot process. | ||
Line 157: | Line 185: | ||
When your computer boots, and asks for the LUKS password. Now you can unlock your encrypted Hard drive using: | When your computer boots, and asks for the LUKS password. Now you can unlock your encrypted Hard drive using: | ||
<pre>torify ssh root@ | <pre>torify ssh root@<onion.id>.onion -p 22 'my-secret-password'</pre> | ||
=== Enable Wifi in initrd === | |||
Following example configuration by [https://discourse.nixos.org/t/wireless-connection-within-initrd/38317/13 @loutr] enables wifi connections inside initrd. Replace interface name <code>wlp0s20f0u4</code> with the name of your wifi adapter. Depending on your wifi device, you might need to add different kernel modules.<syntaxhighlight lang="nix"> | |||
boot.initrd = { | |||
# crypto coprocessor and wifi modules | |||
availableKernelModules = [ "ccm" "ctr" "iwlmvm" "iwlwifi" ]; | |||
systemd = { | |||
enable = true; | |||
packages = [ pkgs.wpa_supplicant ]; | |||
initrdBin = [ pkgs.wpa_supplicant ]; | |||
targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ]; | |||
# prevent WPA supplicant from requiring `sysinit.target`. | |||
services."wpa_supplicant@".unitConfig.DefaultDependencies = false; | |||
users.root.shell = "/bin/systemd-tty-ask-password-agent"; | |||
network = { | |||
enable = true; | |||
networks."10-wlan" = { | |||
matchConfig.Name = "wlp0s20f0u4"; | |||
networkConfig.DHCP = "yes"; | |||
}; | |||
ssh = { | |||
enable = true; | |||
port = 22; | |||
hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ]; | |||
authorizedKeys = default.user.openssh.authorizedKeys.keys; | |||
}; | |||
}; | |||
secrets."/etc/wpa_supplicant/wpa_supplicant-wlp0s20f0u4.conf" = /root/secrets/wpa_supplicant.conf; | |||
}; | |||
</syntaxhighlight>The file <code>wpa_supplicat-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs. | |||
[[Category:Server]] | |||
[[Category:Cookbook]] |