Remote disk unlocking: Difference between revisions

Line 30:

enable = true;

port = 22;

shell = "/bin/cryptsetup-askpass";

authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here...." ];

hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" "/etc/secrets/initrd/ssh_host_ed25519_key" ];

Line 35:

Line 36:

</pre>

Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v</code> for that.

The <code>shell</code> option is necessary to get a password prompt instead of a shell.

If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password.

=== Set up network in initrd ===

Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that.

<pre>boot.initrd.availableKernelModules = [ "r8169" ];</pre>

You will also need to configure either a static IP address or DHCP. You can do this with the <code>ip=</code> kernel parameter.

<pre>boot.kernelParams = [ "ip=dhcp" ];</pre>

See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter.

== Tor in initrd ==

Line 144:

Line 155:

When your computer boots, and asks for the LUKS password. Now you can unlock your encrypted Hard drive using:

<pre>torify ssh root@<onion.id>.onion -p 22 '~~echo "~~my-secret-password~~" > /crypt-ramfs/passphrase'~~</pre>

<pre>torify ssh root@<onion.id>.onion -p 22 'my-secret-password</pre>

== Example ==

An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/stockholm/tree/krebs/2configs/tor/initrd.nix?id=9919cb25912dfcc50881239f95494dd2f8e7b858 krebs/2configs/tor/initrd.nix in stockholm]