Remote disk unlocking: Difference between revisions

(3 intermediate revisions by the same user not shown)

Line 1:

~~If you want to unlock your computer~~ remotely ~~via~~ SSH or even ~~through~~ Tor~~, and you are facing the problem, that you can’t reach your computer before your computer is unlocked. Tor will help you~~ to ~~reach your computer, even during~~ the ~~boot process~~.

This page describes the method for <strong>remotely</strong> unlocking LUKS / ZFS encrypted root partition during boot process. SSH or even Tor may be used to access the system.

== Setup ==

Generate host key for the SSH daemon which will run in initrd during boot

Generate host key for the SSH daemon which will run in initrd during boot (required)

# mkdir -p /etc/secrets/initrd

# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key

Line 22:

enable = true;

port = 22;

authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];

authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; # The public key of the client (Not the public key created in the previous step) (required)

hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];

hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; # The path of the private key created in the previous step (required)

};

postCommands = ''

# ~~Automatically ask for the password on SSH login~~

# unlock LUKS encrypted partitions

echo 'cryptsetup-askpass || echo ~~"Unlock was successful; exiting~~ SSH ~~session" &&~~ exit 1'</nowiki> >> <nowiki>/root/.profile

echo 'cryptsetup-askpass'</nowiki> >> <nowiki>/root/.profile

# unlock ZFS encrypted partitions (NOTE: boot.initrd.supportedFilesystems.zfs must be true for zfs, zpool to be available here)

# zpool import -a;

# echo 'zfs load-key -a'</nowiki> >> <nowiki>/root/.profile

# exit SSH

echo 'exit'</nowiki> >> <nowiki>/root/.profile

'';

};

@@ Line 1: / Line 1: @@
-If you want to unlock your computer remotely via SSH or even through Tor, and you are facing the problem, that you can’t reach your computer before your computer is unlocked. Tor will help you to reach your computer, even during the boot process.
+This page describes the method for <strong>remotely</strong> unlocking LUKS / ZFS encrypted root partition during boot process. SSH or even Tor may be used to access the system.
 == Setup ==
-Generate host key for the SSH daemon which will run in initrd during boot
+Generate host key for the SSH daemon which will run in initrd during boot (required)
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="console">
 # mkdir -p /etc/secrets/initrd
 # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
@@ Line 22: / Line 22: @@
        enable = true;
        port = 22;
-       authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
+       authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; # The public key of the client (Not the public key created in the previous step) (required)
-       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+       hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; # The path of the private key created in the previous step (required)
      };
      postCommands = ''
-       # Automatically ask for the password on SSH login
+       # unlock LUKS encrypted partitions
-       echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1'</nowiki> >> <nowiki>/root/.profile
+       echo 'cryptsetup-askpass'</nowiki> >> <nowiki>/root/.profile
+      # unlock ZFS encrypted partitions (NOTE: boot.initrd.supportedFilesystems.zfs must be true for zfs, zpool to be available here)
+      # zpool import -a;
+      # echo 'zfs load-key -a'</nowiki> >> <nowiki>/root/.profile
+      # exit SSH
+      echo 'exit'</nowiki> >> <nowiki>/root/.profile
      '';
    };