Remote disk unlocking: Difference between revisions

(5 intermediate revisions by 3 users not shown)

Line 1:

~~If you want to unlock your computer~~ remotely ~~via~~ SSH or even ~~through~~ Tor~~, and you are facing the problem, that you can’t reach your computer before your computer is unlocked. Tor will help you~~ to ~~reach your computer, even during~~ the ~~boot process~~.

This page describes the method for <strong>remotely</strong> unlocking LUKS / ZFS encrypted root partition during boot process. SSH or even Tor may be used to access the system.

== Setup ==

Generate host key for the SSH daemon which will run in initrd during boot

Generate host key for the SSH daemon which will run in initrd during boot (required)

# mkdir -p /etc/secrets/initrd

# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key

Line 22:

enable = true;

port = 22;

authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];

authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; # The public key of the client (Not the public key created in the previous step) (required)

hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];

hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; # The path of the private key created in the previous step (required)

};

postCommands = ''

# ~~Automatically ask for the password on SSH login~~

# unlock LUKS encrypted partitions

echo 'cryptsetup-askpass || echo ~~"Unlock was successful; exiting~~ SSH ~~session" &&~~ exit 1'</nowiki> >> <nowiki>/root/.profile

echo 'cryptsetup-askpass'</nowiki> >> <nowiki>/root/.profile

# unlock ZFS encrypted partitions (NOTE: boot.initrd.supportedFilesystems.zfs must be true for zfs, zpool to be available here)

# zpool import -a;

# echo 'zfs load-key -a'</nowiki> >> <nowiki>/root/.profile

# exit SSH

echo 'exit'</nowiki> >> <nowiki>/root/.profile

'';

};

Line 37:

Line 42:

* '''authorizedKeys''': Add the SSH public keys for the users which should be able to authenticate to the SSH daemon to the <code>authorizedKeys</code> option.

* '''availableKernelModules''': Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that.

* '''kernelParams''': ~~Instead of~~ using DHCP you could also configure a static IP~~, for example with kernel parameter~~ <code>boot.kernelParams = [ "ip=10.25.0.2::10.25.0.1:255.255.255.0:myhost::none" ];</code>, where <code>10.25.0.2</code> is the client IP, <code>10.25.0.1</code> is the gateway IP. See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter~~. When using DHCP, make sure your computer is always attached to the network and is able to get an IP adress, or the boot process will hang~~.

* '''kernelParams''':

** When using a dynamic IP address with DHCP you might want to publish your hostname already in the initrd so it can be resolved in the local network: <code>boot.kernelParams = [ "ip=::::${config.networking.hostName}::dhcp" ];</code><ref>https://github.com/NixOS/nixpkgs/issues/63941#issuecomment-2628615604</ref> Note that when using DHCP, make sure your computer is always attached to the network and is able to get an IP adress, or the boot process will hang.

** You could also configure a static IP <code>boot.kernelParams = [ "ip=10.25.0.2::10.25.0.1:255.255.255.0:myhost::none" ];</code>, where <code>10.25.0.2</code> is the client IP, <code>10.25.0.1</code> is the gateway IP. See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter.

Line 123:

Line 130:

* <code>hs_ed25519_secret_key</code>

To create these files~~, you have to run tor once, with a dummy configuration.~~

To create these files:

$ nix-shell -p mkp224o --command "mkp224o-donna snow -n 1 -d ."

~~<pre>DataDirectory /tmp/my~~-~~dummy.tor/~~

set workdir: ./

~~SOCKSPort 127.0.0.1:10050 IsolateDestAddr~~

nixuum6flqthv6ar52j5e2ldulylfsfgezykeg37iy74kqowcp5gxfyd.onion

~~SOCKSPort 127.0.0.1:10063~~

The files you need are in the <code>*.onion</code> directory:

~~HiddenServiceDir /home/tony/tor/onion~~

$ ls *.onion

~~HiddenServicePort 1234 127.0.0.1:1234</pre>~~

hostname hs_ed25519_public_key hs_ed25519_secret_key

~~Let’s asume you created this file in <code>/home/tony/tor/tor.rc</code>.~~

~~Verify that everything is <code>tor.rc</code> awesome, by running <code>tor~~ -~~f /home/tony/tor/tor.rc~~ --~~verify~~-~~config</code>. If you don’t see any errors, just run <code>tor~~ -~~f /home/tony/tor/tor.rc</code>~~.

~~You will get some output like this.~~

~~<pre>May 21 18~~:~~38:39~~.~~000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits~~

~~May 21 18:38:39.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits~~

~~May 21 18:38:39~~.~~000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits~~

~~May 21 18:38:39.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits~~

~~May 21 18:38:39.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit~~

~~May 21 18:38:40.000 [notice] Bootstrapped 100% (done): Done</pre>~~

~~Hit <code>Ctrl-C</code> and the~~ files you need~~, should be~~ in <code>~~/home/tony/tor/~~onion</code>.

==== Setup Tor ====

Line 150:

Line 144:

<syntaxhighlight lang="nix"># copy your onion folder

boot.initrd.secrets = {

"/etc/tor/onion/bootup"; = /home/tony/tor/onion; # maybe find a better spot to store this.

"/etc/tor/onion/bootup" = /home/tony/tor/onion; # maybe find a better spot to store this.

};

@@ Line 1: / Line 1: @@
-If you want to unlock your computer remotely via SSH or even through Tor, and you are facing the problem, that you can’t reach your computer before your computer is unlocked. Tor will help you to reach your computer, even during the boot process.
+This page describes the method for <strong>remotely</strong> unlocking LUKS / ZFS encrypted root partition during boot process. SSH or even Tor may be used to access the system.
 == Setup ==
-Generate host key for the SSH daemon which will run in initrd during boot
+Generate host key for the SSH daemon which will run in initrd during boot (required)
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="console">
 # mkdir -p /etc/secrets/initrd
 # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
@@ Line 22: / Line 22: @@
        enable = true;
        port = 22;
-       authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
+       authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; # The public key of the client (Not the public key created in the previous step) (required)
-       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; # The path of the private key created in the previous step (required)
      };
      postCommands = ''
-       # Automatically ask for the password on SSH login
+       # unlock LUKS encrypted partitions
-       echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile
+       echo 'cryptsetup-askpass'</nowiki> >> <nowiki>/root/.profile
+      # unlock ZFS encrypted partitions (NOTE: boot.initrd.supportedFilesystems.zfs must be true for zfs, zpool to be available here)
+      # zpool import -a;
+      # echo 'zfs load-key -a'</nowiki> >> <nowiki>/root/.profile
+      # exit SSH
+      echo 'exit'</nowiki> >> <nowiki>/root/.profile
      '';
    };
@@ Line 37: / Line 42: @@
 * '''authorizedKeys''': Add the SSH public keys for the users which should be able to authenticate to the SSH daemon to the <code>authorizedKeys</code> option.
 * '''availableKernelModules''': Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that.
-* '''kernelParams''': Instead of using DHCP you could also configure a static IP, for example with kernel parameter <code>boot.kernelParams = [ "ip=10.25.0.2::10.25.0.1:255.255.255.0:myhost::none" ];</code>, where <code>10.25.0.2</code> is the client IP, <code>10.25.0.1</code> is the gateway IP. See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter. When using DHCP, make sure your computer is always attached to the network and is able to get an IP adress, or the boot process will hang.
+* '''kernelParams''':
+** When using a dynamic IP address with DHCP you might want to publish your hostname already in the initrd so it can be resolved in the local network: <code>boot.kernelParams = [ "ip=::::${config.networking.hostName}::dhcp" ];</code><ref>https://github.com/NixOS/nixpkgs/issues/63941#issuecomment-2628615604</ref> Note that when using DHCP, make sure your computer is always attached to the network and is able to get an IP adress, or the boot process will hang.
+** You could also configure a static IP <code>boot.kernelParams = [ "ip=10.25.0.2::10.25.0.1:255.255.255.0:myhost::none" ];</code>, where <code>10.25.0.2</code> is the client IP, <code>10.25.0.1</code> is the gateway IP. See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter.
@@ Line 123: / Line 130: @@
 * <code>hs_ed25519_secret_key</code>
-To create these files, you have to run tor once, with a dummy configuration.
+To create these files:
+ $ nix-shell -p mkp224o --command "mkp224o-donna snow -n 1 -d ."
-<pre>DataDirectory /tmp/my-dummy.tor/
+ set workdir: ./
-SOCKSPort 127.0.0.1:10050 IsolateDestAddr
+ nixuum6flqthv6ar52j5e2ldulylfsfgezykeg37iy74kqowcp5gxfyd.onion
-SOCKSPort 127.0.0.1:10063
+The files you need are in the <code>*.onion</code> directory:
-HiddenServiceDir /home/tony/tor/onion
+ $ ls *.onion
-HiddenServicePort 1234 127.0.0.1:1234</pre>
+ hostname  hs_ed25519_public_key  hs_ed25519_secret_key
-Let’s asume you created this file in <code>/home/tony/tor/tor.rc</code>.
-Verify that everything is <code>tor.rc</code> awesome, by running <code>tor -f /home/tony/tor/tor.rc --verify-config</code>. If you don’t see any errors, just run <code>tor -f /home/tony/tor/tor.rc</code>.
-You will get some output like this.
-<pre>May 21 18:38:39.000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits
-May 21 18:38:39.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits
-May 21 18:38:39.000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits
-May 21 18:38:39.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
-May 21 18:38:39.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
-May 21 18:38:40.000 [notice] Bootstrapped 100% (done): Done</pre>
-Hit <code>Ctrl-C</code> and the files you need, should be in <code>/home/tony/tor/onion</code>.
 ==== Setup Tor ====
@@ Line 150: / Line 144: @@
 <syntaxhighlight lang="nix"># copy your onion folder
 boot.initrd.secrets = {
-   "/etc/tor/onion/bootup"; = /home/tony/tor/onion; # maybe find a better spot to store this.
+   "/etc/tor/onion/bootup" = /home/tony/tor/onion; # maybe find a better spot to store this.
 };