Remote disk unlocking: Difference between revisions
imported>Skarlett mNo edit summary |
imported>Onny Restructuring |
||
Line 1: | Line 1: | ||
If you want to unlock your computer remotely via SSH or even through Tor, and you are facing the problem, that you can’t reach your computer before your computer is unlocked. Tor will help you to reach your computer, even during the boot process. | |||
== Setup == | |||
Generate host key for the SSH daemon which will run in initrd during boot | |||
= | <syntaxhighlight lang="bash"> | ||
# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key | |||
</syntaxhighlight> | |||
Enable SSH daemon in initrd | |||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | |||
boot.kernelParams = [ "ip=dhcp" ]; | |||
boot.initrd.network = { | |||
< | |||
boot. | |||
boot.initrd.network | |||
enable = true; | enable = true; | ||
port = 22; | network.ssh = { | ||
enable = true; | |||
port = 22; | |||
shell = "/bin/cryptsetup-askpass"; | |||
authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; | |||
hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ]; | |||
}; | }; | ||
</ | </nowiki>}} | ||
Add the SSH public keys for the users which should be able to authenticate to the SSH daemon to the <code>authorizedKeys</code> option. | |||
The <code>shell</code> option is necessary to get a password prompt instead of a shell. | The <code>shell</code> option is necessary to get a password prompt instead of a shell. | ||
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. | If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. | ||
Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | ||
You will also need to configure either a static IP address or DHCP. You can do this with the <code>ip=</code> kernel parameter. See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter. | |||
=== Network card drivers === | |||
Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that. | Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that. | ||
<pre>boot.initrd.availableKernelModules = [ "r8169" ];</pre> | <pre>boot.initrd.availableKernelModules = [ "r8169" ];</pre> | ||
== Tips and tricks == | |||
=== Tor in initrd === | |||
An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/stockholm/tree/krebs/2configs/tor/initrd.nix?id=9919cb25912dfcc50881239f95494dd2f8e7b858 krebs/2configs/tor/initrd.nix in stockholm] | |||
=== Prepare the Onion ID === | ==== Prepare the Onion ID ==== | ||
You need 3 files to create an onion id (a.k.a. tor hidden service). | You need 3 files to create an onion id (a.k.a. tor hidden service). | ||
Line 83: | Line 74: | ||
Hit <code>Ctrl-C</code> and the files you need, should be in <code>/home/tony/tor/onion</code>. | Hit <code>Ctrl-C</code> and the files you need, should be in <code>/home/tony/tor/onion</code>. | ||
=== Setup Tor === | ==== Setup Tor ==== | ||
Now that you have your 3 files, you have to script a bit, but it’s not too complicated. | Now that you have your 3 files, you have to script a bit, but it’s not too complicated. | ||
Line 121: | Line 112: | ||
That was it. Tor should be running during your boot process. | That was it. Tor should be running during your boot process. | ||
=== Setup haveged === | ==== Setup haveged ==== | ||
If your system doesn't gather enough entropy the startup time of tor is rather long (2:42 vs 0:06 on a RPi 4b). Counter it by starting <code>haveged</code>. | If your system doesn't gather enough entropy the startup time of tor is rather long (2:42 vs 0:06 on a RPi 4b). Counter it by starting <code>haveged</code>. | ||
Line 136: | Line 127: | ||
</pre> | </pre> | ||
=== Setup ntpdate === | ==== Setup ntpdate ==== | ||
If your system doesn't utilize a RTC you've to ensure time is correctly set before startup of tor. | If your system doesn't utilize a RTC you've to ensure time is correctly set before startup of tor. | ||
Line 153: | Line 144: | ||
</pre> | </pre> | ||
== | ==== Usage ==== | ||
When your computer boots, and asks for the LUKS password. Now you can unlock your encrypted Hard drive using: | When your computer boots, and asks for the LUKS password. Now you can unlock your encrypted Hard drive using: | ||
<pre>torify ssh root@<onion.id>.onion -p 22 'my-secret-password'</pre> | <pre>torify ssh root@<onion.id>.onion -p 22 'my-secret-password'</pre> | ||
Revision as of 13:12, 19 February 2024
If you want to unlock your computer remotely via SSH or even through Tor, and you are facing the problem, that you can’t reach your computer before your computer is unlocked. Tor will help you to reach your computer, even during the boot process.
Setup
Generate host key for the SSH daemon which will run in initrd during boot
# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
Enable SSH daemon in initrd
/etc/nixos/configuration.nix
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd.network = {
enable = true;
network.ssh = {
enable = true;
port = 22;
shell = "/bin/cryptsetup-askpass";
authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ];
};
Add the SSH public keys for the users which should be able to authenticate to the SSH daemon to the authorizedKeys
option.
The shell
option is necessary to get a password prompt instead of a shell.
If you omit it, you will get dropped into /bin/ash
, and you will have to manually run cryptsetup-askpass
to enter the password.
Alternatively, the shell
option can be set to /bin/conspy
for passwords which expect stdin. This binary included by default, and provided by busybox.
You will also need to configure either a static IP address or DHCP. You can do this with the ip=
kernel parameter. See the kernel documentation for more information on the ip=
parameter.
Network card drivers
Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use lspci -v | grep -iA8 'network\|ethernet'
for that.
boot.initrd.availableKernelModules = [ "r8169" ];
Tips and tricks
Tor in initrd
An example with an ssh server listening at a tor hidden service address can be found at krebs/2configs/tor/initrd.nix in stockholm
Prepare the Onion ID
You need 3 files to create an onion id (a.k.a. tor hidden service).
hostname
hs_ed25519_public_key
hs_ed25519_secret_key
To create these files, you have to run tor once, with a dummy configuration.
DataDirectory /tmp/my-dummy.tor/ SOCKSPort 127.0.0.1:10050 IsolateDestAddr SOCKSPort 127.0.0.1:10063 HiddenServiceDir /home/tony/tor/onion HiddenServicePort 1234 127.0.0.1:1234
Let’s asume you created this file in /home/tony/tor/tor.rc
.
Verify that everything is tor.rc
awesome, by running tor -f /home/tony/tor/tor.rc --verify-config
. If you don’t see any errors, just run tor -f /home/tony/tor/tor.rc
.
You will get some output like this.
May 21 18:38:39.000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits May 21 18:38:39.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits May 21 18:38:39.000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits May 21 18:38:39.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits May 21 18:38:39.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit May 21 18:38:40.000 [notice] Bootstrapped 100% (done): Done
Hit Ctrl-C
and the files you need, should be in /home/tony/tor/onion
.
Setup Tor
Now that you have your 3 files, you have to script a bit, but it’s not too complicated.
# copy your onion folder boot.initrd.secrets = { "/etc/tor/onion/bootup" = /home/tony/tor/onion; # maybe find a better spot to store this. }; # copy tor to you initrd boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.tor}/bin/tor ''; # start tor during boot process boot.initrd.network.postCommands = let torRc = (pkgs.writeText "tor.rc" '' DataDirectory /etc/tor SOCKSPort 127.0.0.1:9050 IsolateDestAddr SOCKSPort 127.0.0.1:9063 HiddenServiceDir /etc/tor/onion/bootup HiddenServicePort 22 127.0.0.1:22 ''); in '' echo "tor: preparing onion folder" # have to do this otherwise tor does not want to start chmod -R 700 /etc/tor echo "make sure localhost is up" ip a a 127.0.0.1/8 dev lo ip link set lo up echo "tor: starting tor" tor -f ${torRc} --verify-config tor -f ${torRc} & '';
That was it. Tor should be running during your boot process.
Setup haveged
If your system doesn't gather enough entropy the startup time of tor is rather long (2:42 vs 0:06 on a RPi 4b). Counter it by starting haveged
.
Append in your boot.initrd.extraUtilsCommands
.
copy_bin_and_libs ${pkgs.haveged}/bin/haveged
Then use this snippet before echo "tor: starting tor"
in your boot.initrd.network.postCommands
.
echo "haveged: starting haveged" haveged -F &
Setup ntpdate
If your system doesn't utilize a RTC you've to ensure time is correctly set before startup of tor.
Append in your boot.initrd.extraUtilsCommands
.
copy_bin_and_libs ${pkgs.ntp}/bin/ntpdate
Then use this snippet before echo "tor: starting tor"
in your boot.initrd.network.postCommands
.
echo "ntp: starting ntpdate" echo "ntp 123/tcp" >> /etc/services echo "ntp 123/udp" >> /etc/services ntpdate w.x.y.z # pick one IP from https://www.ntppool.org/
Usage
When your computer boots, and asks for the LUKS password. Now you can unlock your encrypted Hard drive using:
torify ssh root@<onion.id>.onion -p 22 'my-secret-password'