Remote disk unlocking: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>H3ndrik
No edit summary
imported>Onny
Restructuring setup part and add usage example
Line 13: Line 13:
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
boot.kernelParams = [ "ip=dhcp" ];
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd.network = {
boot.initrd = {
   enable = true;
   availableKernelModules = [ "r8169" ];
   ssh = {
   network = {
     enable = true;
     enable = true;
     port = 22;
     ssh = {
    shell = "/bin/cryptsetup-askpass";
      enable = true;
    authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
      port = 22;
    hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ];
      shell = "/bin/cryptsetup-askpass";
      authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
      hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ];
    };
   };
   };
};
};
</nowiki>}}
</nowiki>}}


Add the SSH public keys for the users which should be able to authenticate to the SSH daemon to the <code>authorizedKeys</code> option.
Adapt following parts according to your setup
 
* Add the SSH public keys for the users which should be able to authenticate to the SSH daemon to the <code>authorizedKeys</code> option.
* Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that.
* Instead of using DHCP you could also configure a static IP, for example with kernel parameter <code>boot.kernelParams = [ "ip=10.25.0.2::10.25.0.1:255.255.255.0:myhost::none" ];</code>, where <code>10.25.0.2</code> is the client IP, <code>10.25.0.1</code> is the gateway IP. See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter. When using DHCP, make sure your computer is always attached to the network and is able to get an IP adress, or the boot process will hang.


The <code>shell</code> option is necessary to get a password prompt instead of a shell.
The <code>shell</code> option is necessary to get a password prompt instead of a shell.
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password.
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password. Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.
 
Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.
 
You will also need to configure either a static IP address or DHCP. You can do this with the <code>ip=</code> kernel parameter. See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter.


{{Note|When using DHCP, make sure your computer is always attached to the network and is able to get an IP adress, or the boot process will hang.}}
== Usage ==


=== Network card drivers ===
After reboot, connect to the initrd SSH daemon using


Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that.
<syntaxhighlight lang="bash">
# ssh root@10.25.0.2
</syntaxhighlight>


<pre>boot.initrd.availableKernelModules = [ &quot;r8169&quot; ];</pre>
Where <code>10.25.0.2</code> is the IP which is acquired via DHCP or configured via the kernel parameter.


== Tips and tricks ==
== Tips and tricks ==
Retrieved from "https://wiki.nixos.org/wiki/Remote_disk_unlocking"