Remote disk unlocking: Difference between revisions
imported>H3ndrik No edit summary |
imported>Onny Restructuring setup part and add usage example |
||
Line 13: | Line 13: | ||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | {{file|/etc/nixos/configuration.nix|nix|<nowiki> | ||
boot.kernelParams = [ "ip=dhcp" ]; | boot.kernelParams = [ "ip=dhcp" ]; | ||
boot.initrd | boot.initrd = { | ||
availableKernelModules = [ "r8169" ]; | |||
network = { | |||
enable = true; | enable = true; | ||
port = 22; | ssh = { | ||
enable = true; | |||
port = 22; | |||
shell = "/bin/cryptsetup-askpass"; | |||
authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ]; | |||
hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ]; | |||
}; | |||
}; | }; | ||
}; | }; | ||
</nowiki>}} | </nowiki>}} | ||
Add the SSH public keys for the users which should be able to authenticate to the SSH daemon to the <code>authorizedKeys</code> option. | Adapt following parts according to your setup | ||
* Add the SSH public keys for the users which should be able to authenticate to the SSH daemon to the <code>authorizedKeys</code> option. | |||
* Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that. | |||
* Instead of using DHCP you could also configure a static IP, for example with kernel parameter <code>boot.kernelParams = [ "ip=10.25.0.2::10.25.0.1:255.255.255.0:myhost::none" ];</code>, where <code>10.25.0.2</code> is the client IP, <code>10.25.0.1</code> is the gateway IP. See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter. When using DHCP, make sure your computer is always attached to the network and is able to get an IP adress, or the boot process will hang. | |||
The <code>shell</code> option is necessary to get a password prompt instead of a shell. | The <code>shell</code> option is necessary to get a password prompt instead of a shell. | ||
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. | If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox. | ||
Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox | |||
== Usage == | |||
After reboot, connect to the initrd SSH daemon using | |||
<syntaxhighlight lang="bash"> | |||
# ssh root@10.25.0.2 | |||
</syntaxhighlight> | |||
< | Where <code>10.25.0.2</code> is the IP which is acquired via DHCP or configured via the kernel parameter. | ||
== Tips and tricks == | == Tips and tricks == |