Remote disk unlocking: Difference between revisions

(8 intermediate revisions by 4 users not shown)

Line 1:

If you want to unlock your computer remotely via SSH or even through Tor, and you are facing the ~~probllem~~, that you can’t reach your computer before your computer is unlocked. Tor will help you to reach your computer, even during the boot process.

If you want to unlock your computer remotely via SSH or even through Tor, and you are facing the problem, that you can’t reach your computer before your computer is unlocked. Tor will help you to reach your computer, even during the boot process.

== Setup ==

Line 6:

# mkdir -p /etc/secrets/initrd

# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key

</syntaxhighlight>

Enable SSH daemon in ~~initrd≥~~

Enable SSH daemon in initrd

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

Line 26:

Line 27:

postCommands = ''

# Automatically ask for the password on SSH login

echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' \

echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile

~~| tee~~ /root/.profile

'';

};

Line 78:

Using systemd in initrd automatically continues the boot process after the target <code>/sysroot</code> is mounted.

=== Wireguard in initrd ===

Considering you've already enabled the ssh daemon, configured networking (for example with DHCP or static IP) and configured an unlocking command, following additional snippet will enable [[WireGuard]] connectivity to a remote peer while in initrd.<syntaxhighlight lang="nix">

boot.initrd.availableKernelModules = [ "r8169" "wireguard" ];

boot.initrd.systemd = {

enable = true;

network = {

netdevs."30-wg-initrd" = {

netdevConfig = {

Kind = "wireguard";

Name = "wg-initrd";

};

wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };

wireguardPeers = [{

AllowedIPs = [ "10.250.0.1/32" ];

PublicKey = "wUE//Lwi8DZVIvAjIAtMoy+ku+hJ0w28H7ofySwAJRk=";

Endpoint = "198.51.100.1:51821";

PersistentKeepalive = 25;

}];

};

networks."30-wg-initrd" = {

name = "wg-initrd";

addresses = [{ Address = "10.250.0.2/24"; }];

};

boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/private-key";

</syntaxhighlight>First generate a private und public key pair as mentioned in the WireGuard article. Reference the private key in <code>boot.initrd.secrets</code>, in this exmaple <code>/etc/wireguard/private-key</code>. Put the <code>PublicKey</code> of the remote peer into the <code>wireguardPeers</code> array.

Configure the IP addresses used by your initrd peer (<code>10.250.0.2</code>) and the remote peer (<code>10.250.0.1</code>). Also specify the IP and port of the remote peer in <code>Endpoint</code>, in our example <code>198.51.100.1:51821</code>. The remote peer also needs to know address configuration and the public key of the initrd peer.

Last but not least add the <code>wireguard</code> kernel module to <code>boot.initrd.availableKernelModules</code> beside the module required by your network device.

=== Tor in initrd ===

An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/stockholm/~~tree~~/krebs/2configs/tor/initrd.nix~~?id=9919cb25912dfcc50881239f95494dd2f8e7b858~~ krebs/2configs/tor/initrd.nix in stockholm]

An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/makefu/stockholm/src/commit/9b1008814e981dc01afe9ee7446322ad512c1d72/krebs/2configs/tor/initrd.nix krebs/2configs/tor/initrd.nix in stockholm]

==== Prepare the Onion ID ====

Line 91:

Line 123:

* <code>hs_ed25519_secret_key</code>

To create these files~~, you have to run tor once, with a dummy configuration.~~

To create these files:

$ nix-shell -p mkp224o --command "mkp224o-donna snow -n 1 -d ."

~~<pre>DataDirectory /tmp/my~~-~~dummy.tor/~~

set workdir: ./

~~SOCKSPort 127.0.0.1:10050 IsolateDestAddr~~

nixuum6flqthv6ar52j5e2ldulylfsfgezykeg37iy74kqowcp5gxfyd.onion

~~SOCKSPort 127.0.0.1:10063~~

The files you need are in the <code>*.onion</code> directory:

~~HiddenServiceDir /home/tony/tor/onion~~

$ ls *.onion

~~HiddenServicePort 1234 127.0.0.1:1234</pre>~~

hostname hs_ed25519_public_key hs_ed25519_secret_key

~~Let’s asume you created this file in <code>/home/tony/tor/tor.rc</code>.~~

~~Verify that everything is <code>tor.rc</code> awesome, by running <code>tor~~ -~~f /home/tony/tor/tor.rc~~ --~~verify~~-~~config</code>. If you don’t see any errors, just run <code>tor~~ -~~f /home/tony/tor/tor.rc</code>~~.

~~You will get some output like this.~~

~~<pre>May 21 18~~:~~38:39~~.~~000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits~~

~~May 21 18:38:39.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits~~

~~May 21 18:38:39~~.~~000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits~~

~~May 21 18:38:39.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits~~

~~May 21 18:38:39.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit~~

~~May 21 18:38:40.000 [notice] Bootstrapped 100% (done): Done</pre>~~

~~Hit <code>Ctrl-C</code> and the~~ files you need~~, should be~~ in <code>~~/home/tony/tor/~~onion</code>.

==== Setup Tor ====

Line 118:

Line 137:

<syntaxhighlight lang="nix"># copy your onion folder

boot.initrd.secrets = {

"/etc/tor/onion/bootup"; = /home/tony/tor/onion; # maybe find a better spot to store this.

"/etc/tor/onion/bootup" = /home/tony/tor/onion; # maybe find a better spot to store this.

};

Line 190:

Line 209:

=== Enable Wifi in initrd ===

Following example configuration by [https://discourse.nixos.org/t/wireless-connection-within-initrd/38317/13 @loutr] enables wifi connections inside initrd. Replace interface name <code>wlp0s20f0u4</code> with the name of your wifi adapter. Depending on your wifi device, you might need to add different kernel modules.<syntaxhighlight lang="nix">

boot.initrd = {

{

# crypto coprocessor and wifi modules

boot.initrd = {

availableKernelModules = [ "ccm" "ctr" "iwlmvm" "iwlwifi" ];

# crypto coprocessor and wifi modules

availableKernelModules = [

"ccm"

"ctr"

"iwlmvm"

"iwlwifi"

];

systemd = {

enable = true;

packages = [ pkgs.wpa_supplicant ];

initrdBin = [ pkgs.wpa_supplicant ];

targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ];

# prevent WPA supplicant from requiring `sysinit.target`.

services."wpa_supplicant@".unitConfig.DefaultDependencies = false;

users.root.shell = "/bin/systemd-tty-ask-password-agent";

network ~~= {~~

network = {

~~enable = true;~~

~~networks."10-wlan" = {~~

~~matchConfig.Name = "wlp0s20f0u4";~~

~~networkConfig.DHCP = "yes";~~

};

~~ssh~~ = {

enable = true;

~~port~~ = 22;

networks."10-wlan" = {

~~hostKeys~~ = [ "~~/etc/ssh/ssh_host_ed25519_key~~" ];

matchConfig.Name = "wlp0s20f0u4";

~~authorizedKeys = default.user.openssh.authorizedKeys.keys~~;

DHCP = "yes";

};

network.ssh = {

enable = true;

port = 22;

hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];

authorizedKeys = default.user.openssh.authorizedKeys.keys;

};

secrets."/etc/wpa_supplicant/wpa_supplicant-wlp0s20f0u4.conf" = /root/secrets/wpa_supplicant.conf;

};

</syntaxhighlight>The file <code>~~wpa_supplicat~~-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.

}

</syntaxhighlight>The file <code>wpa_supplicant-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.

[[Category:Server]]

[[Category:Cookbook]]

@@ Line 1: / Line 1: @@
-If you want to unlock your computer remotely via SSH or even through Tor, and you are facing the probllem, that you can’t reach your computer before your computer is unlocked. Tor will help you to reach your computer, even during the boot process.
+If you want to unlock your computer remotely via SSH or even through Tor, and you are facing the problem, that you can’t reach your computer before your computer is unlocked. Tor will help you to reach your computer, even during the boot process.
 == Setup ==
@@ Line 6: / Line 6: @@
 <syntaxhighlight lang="bash">
+# mkdir -p /etc/secrets/initrd
 # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
 </syntaxhighlight>
-Enable SSH daemon in initrd≥
+Enable SSH daemon in initrd
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
@@ Line 26: / Line 27: @@
      postCommands = ''
        # Automatically ask for the password on SSH login
-       echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' \
+       echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile
-        | tee /root/.profile
      '';
    };
@@ Line 78: / Line 78: @@
 Using systemd in initrd automatically continues the boot process after the target <code>/sysroot</code> is mounted.
+=== Wireguard in initrd ===
+Considering you've already enabled the ssh daemon, configured networking (for example with DHCP or static IP) and configured an unlocking command, following additional snippet will enable [[WireGuard]] connectivity to a remote peer while in initrd.<syntaxhighlight lang="nix">
+boot.initrd.availableKernelModules = [ "r8169" "wireguard" ];
+boot.initrd.systemd = {
+  enable = true;
+  network = {
+    netdevs."30-wg-initrd" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "wg-initrd";
+      };
+      wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
+      wireguardPeers = [{
+        AllowedIPs = [ "10.250.0.1/32" ];
+        PublicKey = "wUE//Lwi8DZVIvAjIAtMoy+ku+hJ0w28H7ofySwAJRk=";
+        Endpoint = "198.51.100.1:51821";
+        PersistentKeepalive = 25;
+      }];
+    };
+    networks."30-wg-initrd" = {
+      name = "wg-initrd";
+      addresses = [{ Address = "10.250.0.2/24"; }];
+    };
+  };
+};
+boot.initrd.secrets."/etc/secrets/30-wg-initrd.key" = "/etc/wireguard/private-key";
+</syntaxhighlight>First generate a private und public key pair as mentioned in the WireGuard article. Reference the private key in <code>boot.initrd.secrets</code>, in this exmaple <code>/etc/wireguard/private-key</code>. Put the <code>PublicKey</code> of the remote peer into the <code>wireguardPeers</code> array.
+Configure the IP addresses used by your initrd peer (<code>10.250.0.2</code>) and the remote peer (<code>10.250.0.1</code>). Also specify the IP and port of the remote peer in <code>Endpoint</code>, in our example <code>198.51.100.1:51821</code>. The remote peer also needs to know address configuration and the public key of the initrd peer.
+Last but not least add the <code>wireguard</code> kernel module to <code>boot.initrd.availableKernelModules</code> beside the module required by your network device.
 === Tor in initrd ===
-An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/stockholm/tree/krebs/2configs/tor/initrd.nix?id=9919cb25912dfcc50881239f95494dd2f8e7b858 krebs/2configs/tor/initrd.nix in stockholm]
+An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/makefu/stockholm/src/commit/9b1008814e981dc01afe9ee7446322ad512c1d72/krebs/2configs/tor/initrd.nix krebs/2configs/tor/initrd.nix in stockholm]
 ==== Prepare the Onion ID ====
@@ Line 91: / Line 123: @@
 * <code>hs_ed25519_secret_key</code>
-To create these files, you have to run tor once, with a dummy configuration.
+To create these files:
+ $ nix-shell -p mkp224o --command "mkp224o-donna snow -n 1 -d ."
-<pre>DataDirectory /tmp/my-dummy.tor/
+ set workdir: ./
-SOCKSPort 127.0.0.1:10050 IsolateDestAddr
+ nixuum6flqthv6ar52j5e2ldulylfsfgezykeg37iy74kqowcp5gxfyd.onion
-SOCKSPort 127.0.0.1:10063
+The files you need are in the <code>*.onion</code> directory:
-HiddenServiceDir /home/tony/tor/onion
+ $ ls *.onion
-HiddenServicePort 1234 127.0.0.1:1234</pre>
+ hostname  hs_ed25519_public_key  hs_ed25519_secret_key
-Let’s asume you created this file in <code>/home/tony/tor/tor.rc</code>.
-Verify that everything is <code>tor.rc</code> awesome, by running <code>tor -f /home/tony/tor/tor.rc --verify-config</code>. If you don’t see any errors, just run <code>tor -f /home/tony/tor/tor.rc</code>.
-You will get some output like this.
-<pre>May 21 18:38:39.000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits
-May 21 18:38:39.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits
-May 21 18:38:39.000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits
-May 21 18:38:39.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
-May 21 18:38:39.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
-May 21 18:38:40.000 [notice] Bootstrapped 100% (done): Done</pre>
-Hit <code>Ctrl-C</code> and the files you need, should be in <code>/home/tony/tor/onion</code>.
 ==== Setup Tor ====
@@ Line 118: / Line 137: @@
 <syntaxhighlight lang="nix"># copy your onion folder
 boot.initrd.secrets = {
-   "/etc/tor/onion/bootup"; = /home/tony/tor/onion; # maybe find a better spot to store this.
+   "/etc/tor/onion/bootup" = /home/tony/tor/onion; # maybe find a better spot to store this.
 };
@@ Line 190: / Line 209: @@
 === Enable Wifi in initrd ===
 Following example configuration by [https://discourse.nixos.org/t/wireless-connection-within-initrd/38317/13 @loutr] enables wifi connections inside initrd. Replace interface name <code>wlp0s20f0u4</code> with the name of your wifi adapter. Depending on your wifi device, you might need to add different kernel modules.<syntaxhighlight lang="nix">
-boot.initrd = {
+{
-  # crypto coprocessor and wifi modules
+  boot.initrd = {
-  availableKernelModules = [ "ccm" "ctr" "iwlmvm" "iwlwifi" ];
+    # crypto coprocessor and wifi modules
+    availableKernelModules = [
+      "ccm"
+      "ctr"
+      "iwlmvm"
+      "iwlwifi"
+    ];
-  systemd = {
+    systemd = {
-    enable = true;
+      enable = true;
-    packages = [ pkgs.wpa_supplicant ];
+      packages = [ pkgs.wpa_supplicant ];
-    initrdBin = [ pkgs.wpa_supplicant ];
+      initrdBin = [ pkgs.wpa_supplicant ];
-    targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ];
+      targets.initrd.wants = [ "wpa_supplicant@wlp0s20f0u4.service" ];
-    # prevent WPA supplicant from requiring `sysinit.target`.
+      # prevent WPA supplicant from requiring `sysinit.target`.
-    services."wpa_supplicant@".unitConfig.DefaultDependencies = false;
+      services."wpa_supplicant@".unitConfig.DefaultDependencies = false;
-    users.root.shell = "/bin/systemd-tty-ask-password-agent";
+      users.root.shell = "/bin/systemd-tty-ask-password-agent";
-    network = {
+      network = {
-      enable = true;
-      networks."10-wlan" = {
-        matchConfig.Name = "wlp0s20f0u4";
-        networkConfig.DHCP = "yes";
-      };
-      ssh = {
          enable = true;
-         port = 22;
+         networks."10-wlan" = {
-        hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];
+          matchConfig.Name = "wlp0s20f0u4";
-         authorizedKeys = default.user.openssh.authorizedKeys.keys;
+          DHCP = "yes";
+         };
        };
+    };
+    network.ssh = {
+      enable = true;
+      port = 22;
+      hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      authorizedKeys = default.user.openssh.authorizedKeys.keys;
      };
      secrets."/etc/wpa_supplicant/wpa_supplicant-wlp0s20f0u4.conf" = /root/secrets/wpa_supplicant.conf;
    };
-</syntaxhighlight>The file <code>wpa_supplicat-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.
+}
+</syntaxhighlight>The file <code>wpa_supplicant-wlp0s20f0u4.conf</code> is the wireless profile used by [[wpa_supplicant]] which will get copied into the initramfs.
 [[Category:Server]]
 [[Category:Cookbook]]