Remote disk unlocking: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>Makefu
No edit summary
imported>Riotbib
Change from deprecated hostECDSAkey to hostKeys and from dropbear to ssh-keygen
Line 9: Line 9:
It is very important that you create your SSH host keys upfront, otherwise you end up connecting to a server on the internet and typing in your disk encryption password without authenticating the machine on the remote end!
It is very important that you create your SSH host keys upfront, otherwise you end up connecting to a server on the internet and typing in your disk encryption password without authenticating the machine on the remote end!


To create a hostkey for dropbear run
To create a hostkey rin
 
<pre>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key</pre>
 
or
 
<pre>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key</pre>


<pre>nix run nixpkgs.dropbear -c dropbearkey -t ecdsa -f host_ecdsa_key</pre>
==== Known hosts ====
==== Known hosts ====


Line 26: Line 31:
   port = 22;
   port = 22;
   authorizedKeys = &quot;ssh-rsa AAAAyourpublic-key-here....&quot;;
   authorizedKeys = &quot;ssh-rsa AAAAyourpublic-key-here....&quot;;
   hostECDSAKey = /path/to/host_ecdsa_key;
   hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" "/etc/secrets/initrd/ssh_host_ed25519_key" ];
};
};
</pre>
</pre>
Retrieved from "https://wiki.nixos.org/wiki/Remote_disk_unlocking"