Remote disk unlocking: Difference between revisions
imported>Mweinelt mNo edit summary |
imported>0x4A6F No edit summary |
||
| Line 1: | Line 1: | ||
= Unlocking your LUKS via SSH and Tor = | = Unlocking your LUKS via SSH and Tor = | ||
If you want to unlock your | If you want to unlock your computer remotely, and you are facing the problem, that you can’t reach your computer before your computer is unlocked, Tor will help you to reach your computer, even during the boot process. | ||
== SSH in initrd == | == SSH in initrd == | ||
| Line 102: | Line 102: | ||
'';</pre> | '';</pre> | ||
That was it. Tor should be running during your boot process. | That was it. Tor should be running during your boot process. | ||
=== Setup ntpdate === | |||
If your system doesn't utilize a RTC you've to ensure time is correctly set before startup of tor. | |||
Append in your <code>boot.initrd.extraUtilsCommands</code>. | |||
<pre> | |||
copy_bin_and_libs ${pkgs.ntp}/bin/ntpdate | |||
</pre> | |||
Then use this snippet before <code>echo "tor: starting tor"</code> in your <code>boot.initrd.network.postCommands</code>. | |||
<pre> | |||
echo "ntp: starting ntpdate" | |||
echo "ntp 123/tcp" >> /etc/services | |||
echo "ntp 123/udp" >> /etc/services | |||
ntpdate w.x.y.z # pick one IP from https://www.ntppool.org/ | |||
</pre> | |||
== Unlock your LUKS via SSH and Tor == | == Unlock your LUKS via SSH and Tor == | ||
Revision as of 22:50, 19 June 2020
Unlocking your LUKS via SSH and Tor
If you want to unlock your computer remotely, and you are facing the problem, that you can’t reach your computer before your computer is unlocked, Tor will help you to reach your computer, even during the boot process.
SSH in initrd
Prepare SSH host keys
It is very important that you create your SSH host keys upfront, otherwise you end up connecting to a server on the internet and typing in your disk encryption password without authenticating the machine on the remote end!
To create a hostkey for dropbear run
nix run nixpkgs.dropbear -c dropbearkey -t ecdsa -f host_ecdsa_key
Known hosts
It’s a good idea to add the host key (which got printed during creation) to your known_hosts file e.g. ~/.ssh/known_hosts or services.openssh.knownHosts.
Set up SSH in initrd
Setting up ssh is very easy.
# ssh setup
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 22;
authorizedKeys = "ssh-rsa AAAAyourpublic-key-here....";
hostECDSAKey = /path/to/host_ecdsa_key;
};
Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use lspci -v for that.
boot.initrd.availableKernelModules = [ "r8169" ];
Tor in initrd
Prepare the Onion ID
You need 3 files to create an onion id (a.k.a. tor hidden service).
hostnamehs_ed25519_public_keyhs_ed25519_secret_key
To create theses files, you have to run tor once, with a dummy configuration.
DataDirectory /tmp/my-dummy.tor/ SOCKSPort 127.0.0.1:10050 IsolateDestAddr SOCKSPort 127.0.0.1:10063 HiddenServiceDir /home/tony/tor/onion HiddenServicePort 1234 127.0.0.1:1234
Let’s asume you created this file in /home/tony/tor/tor.rc.
Verify that everything is tor.rc awesome, by running tor -f /home/tony/tor/tor.rc --verify-config. If you don’t see any errors, just run tor -f /home/tony/tor/tor.rc.
You will get some output like this.
May 21 18:38:39.000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits May 21 18:38:39.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits May 21 18:38:39.000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits May 21 18:38:39.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits May 21 18:38:39.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit May 21 18:38:40.000 [notice] Bootstrapped 100% (done): Done
Hit Ctrl-C and the files you need, should be in /home/tony/tor/onion.
Setup Tor
Now that you have your 3 files, you have to script a bit, but it’s not too complicated.
# copy your onion folder
boot.initrd.secrets = {
"/etc/tor/onion/bootup" = /home/tony/tor/onion; # maybe find a better spot to store this.
};
# copy tor to you initrd
boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.tor}/bin/tor
'';
# start tor during boot process
boot.initrd.network.postCommands = let
torRc = (pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 22 127.0.0.1:22
'');
in ''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "make sure localhost is up"
ip a a 127.0.0.1/8 dev lo
ip link set lo up
echo "tor: starting tor"
tor -f ${torRc} --verify-config
tor -f ${torRc} &
'';
That was it. Tor should be running during your boot process.
Setup ntpdate
If your system doesn't utilize a RTC you've to ensure time is correctly set before startup of tor.
Append in your boot.initrd.extraUtilsCommands.
copy_bin_and_libs ${pkgs.ntp}/bin/ntpdate
Then use this snippet before echo "tor: starting tor" in your boot.initrd.network.postCommands.
echo "ntp: starting ntpdate"
echo "ntp 123/tcp" >> /etc/services
echo "ntp 123/udp" >> /etc/services
ntpdate w.x.y.z # pick one IP from https://www.ntppool.org/
Unlock your LUKS via SSH and Tor
When your computer boots, and asks for the LUKS password. Now you can unlock your encrypted Hard drive using:
torify ssh root@<onion.id>.onion -p 22 'echo "my-secret-password" > /crypt-ramfs/passphrase'