Remote disk unlocking: Difference between revisions
Simpler instructions for setting up tor |
m →Setup |
||
| (8 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
This page describes the method for <strong>remotely</strong> unlocking LUKS / ZFS encrypted root partition during boot process. SSH or even Tor may be used to access the system. | |||
== Setup == | == Setup == | ||
Generate host key for the SSH daemon which will run in initrd during boot | Generate host key for the SSH daemon which will run in initrd during boot (required) | ||
<syntaxhighlight lang=" | <syntaxhighlight lang="console"> | ||
# mkdir -p /etc/secrets/initrd | # mkdir -p /etc/secrets/initrd | ||
# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key | # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key | ||
| Line 22: | Line 22: | ||
enable = true; | enable = true; | ||
port = 22; | port = 22; | ||
authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; | authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; # The public key of the client (Not the public key created in the previous step) (required) | ||
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; | hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; # The path of the private key created in the previous step (required) | ||
}; | }; | ||
postCommands = '' | postCommands = '' | ||
# | # unlock LUKS encrypted partitions | ||
echo 'cryptsetup-askpass | echo 'cryptsetup-askpass'</nowiki> >> <nowiki>/root/.profile | ||
# unlock ZFS encrypted partitions (NOTE: boot.initrd.supportedFilesystems.zfs must be true for zfs, zpool to be available here) | |||
# zpool import -a; | |||
# echo 'zfs load-key -a'</nowiki> >> <nowiki>/root/.profile | |||
# exit SSH | |||
echo 'exit'</nowiki> >> <nowiki>/root/.profile | |||
''; | ''; | ||
}; | }; | ||
}; | }; | ||
</nowiki>}} | </nowiki>}} | ||
{{Info|When using the systemd initrd (<code>boot.initrd.systemd.enable</code>, which is enabled by default starting with NixOS 26.05), <code>cryptsetup-askpass</code> is not available; use <code>systemctl default</code> instead. See the [https://nixos.org/manual/nixos/unstable/release-notes#sec-release-26.05 release notes] for more information.}} | |||
Adapt following parts according to your setup | Adapt following parts according to your setup | ||
| Line 37: | Line 44: | ||
* '''authorizedKeys''': Add the SSH public keys for the users which should be able to authenticate to the SSH daemon to the <code>authorizedKeys</code> option. | * '''authorizedKeys''': Add the SSH public keys for the users which should be able to authenticate to the SSH daemon to the <code>authorizedKeys</code> option. | ||
* '''availableKernelModules''': Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that. | * '''availableKernelModules''': Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that. | ||
* '''kernelParams''': | * '''kernelParams''': | ||
** When using a dynamic IP address with DHCP you might want to publish your hostname already in the initrd so it can be resolved in the local network: <code>boot.kernelParams = [ "ip=::::${config.networking.hostName}::dhcp" ];</code><ref>https://github.com/NixOS/nixpkgs/issues/63941#issuecomment-2628615604</ref> Note that when using DHCP, make sure your computer is always attached to the network and is able to get an IP adress, or the boot process will hang. | |||
** You could also configure a static IP <code>boot.kernelParams = [ "ip=10.25.0.2::10.25.0.1:255.255.255.0:myhost::none" ];</code>, where <code>10.25.0.2</code> is the client IP, <code>10.25.0.1</code> is the gateway IP. See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter. | |||
The <code>postCommands</code> option is necessary to get a password prompt instead of a shell. | The <code>postCommands</code> option is necessary to get a password prompt instead of a shell. | ||
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | ||
Since 26.05 release, initrd is based on systemd by default. systemd-networkd must be used instead of NetworkManager, otherwise network will fail to initialize. | |||
{{file|/etc/nixos/configuration.nix|nix|3=boot.initrd.systemd.network = { | |||
enable = true; | |||
networks."eth0" = { | |||
matchConfig.Name = "eth0"; | |||
networkConfig.DHCP = "ipv4"; | |||
}; | |||
}; | |||
networking.networkmanager.enable = false; | |||
systemd.network = { | |||
enable = true; | |||
networks."eth0" = { | |||
matchConfig.Name = "eth0"; | |||
networkConfig.DHCP = "ipv4"; | |||
}; | |||
};|name=/etc/nixos/configuration.nix|lang=nix}} | |||
== Usage == | == Usage == | ||