Remote disk unlocking: Difference between revisions
Added a point about publishing the initrd hostname when using DHCP. |
m →Setup |
||
| (7 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
This page describes the method for <strong>remotely</strong> unlocking LUKS / ZFS encrypted root partition during boot process. SSH or even Tor may be used to access the system. | |||
== Setup == | == Setup == | ||
Generate host key for the SSH daemon which will run in initrd during boot | Generate host key for the SSH daemon which will run in initrd during boot (required) | ||
<syntaxhighlight lang=" | <syntaxhighlight lang="console"> | ||
# mkdir -p /etc/secrets/initrd | # mkdir -p /etc/secrets/initrd | ||
# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key | # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key | ||
| Line 22: | Line 22: | ||
enable = true; | enable = true; | ||
port = 22; | port = 22; | ||
authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; | authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; # The public key of the client (Not the public key created in the previous step) (required) | ||
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; | hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; # The path of the private key created in the previous step (required) | ||
}; | }; | ||
postCommands = '' | postCommands = '' | ||
# | # unlock LUKS encrypted partitions | ||
echo 'cryptsetup-askpass | echo 'cryptsetup-askpass'</nowiki> >> <nowiki>/root/.profile | ||
# unlock ZFS encrypted partitions (NOTE: boot.initrd.supportedFilesystems.zfs must be true for zfs, zpool to be available here) | |||
# zpool import -a; | |||
# echo 'zfs load-key -a'</nowiki> >> <nowiki>/root/.profile | |||
# exit SSH | |||
echo 'exit'</nowiki> >> <nowiki>/root/.profile | |||
''; | ''; | ||
}; | }; | ||
}; | }; | ||
</nowiki>}} | </nowiki>}} | ||
{{Info|When using the systemd initrd (<code>boot.initrd.systemd.enable</code>, which is enabled by default starting with NixOS 26.05), <code>cryptsetup-askpass</code> is not available; use <code>systemctl default</code> instead. See the [https://nixos.org/manual/nixos/unstable/release-notes#sec-release-26.05 release notes] for more information.}} | |||
Adapt following parts according to your setup | Adapt following parts according to your setup | ||
| Line 44: | Line 51: | ||
The <code>postCommands</code> option is necessary to get a password prompt instead of a shell. | The <code>postCommands</code> option is necessary to get a password prompt instead of a shell. | ||
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>boot.initrd.systemd.users.root.shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | ||
Since 26.05 release, initrd is based on systemd by default. systemd-networkd must be used instead of NetworkManager, otherwise network will fail to initialize. | |||
{{file|/etc/nixos/configuration.nix|nix|3=boot.initrd.systemd.network = { | |||
enable = true; | |||
networks."eth0" = { | |||
matchConfig.Name = "eth0"; | |||
networkConfig.DHCP = "ipv4"; | |||
}; | |||
}; | |||
networking.networkmanager.enable = false; | |||
systemd.network = { | |||
enable = true; | |||
networks."eth0" = { | |||
matchConfig.Name = "eth0"; | |||
networkConfig.DHCP = "ipv4"; | |||
}; | |||
};|name=/etc/nixos/configuration.nix|lang=nix}} | |||
== Usage == | == Usage == | ||