Jump to content

Remote disk unlocking: Difference between revisions

Remote disk unlocking (view source)

Revision as of 18:12, 21 May 2020

101 bytes removed ,  21 May 2020
no edit summary
VisualWikitext
imported>MrVanDalo
(Created page with "= Unlocking your LUKS via SSH and Tor = If you want to unlock your Computer remotely, and you are facing the problem, that you can’t reach your computer before your compute...")
 
imported>Mweinelt
No edit summary
Line 1: Line 1:
= Unlocking your LUKS via SSH and Tor =
= Unlocking your LUKS via SSH and Tor =


If you want to unlock your Computer remotely, and you are facing the problem, that you can’t reach your computer before your computer is unlockt. Tor will help you to reach your computer, even in during the boot process.
If you want to unlock your Computer remotely, and you are facing the problem, that you can’t reach your computer before your computer is unlocked, Tor will help you to reach your computer, even in during the boot process.


== SSH in initrd ==
== SSH in initrd ==
Line 7: Line 7:
=== Prepare SSH host keys ===
=== Prepare SSH host keys ===


It is very important that you create your SSH host keys upfront, otherwise you end up connecting to a server on the internet and typing in your Harddrive encryption password without verifiying the machine is actually yours!
It is very important that you create your SSH host keys upfront, otherwise you end up connecting to a server on the internet and typing in your disk encryption password without authenticating the machine on the remote end!


Just run
To create a hostkey for dropbear run


<pre>nix-shell -p dropbear --run &quot;dropbearkey -t ecdsa -f /home/tony/tor/host_ecdsa_key&quot;</pre>
<pre>nix run nixpkgs.dropbear -c dropbearkey -t ecdsa -f host_ecdsa_key</pre>
==== known hosts ====
==== Known hosts ====


It’s a good idea to add the host key (which got printed during creation) to your known_hosts file e.g. <code>~/.ssh/known_hosts</code> or <code>services.openssh.knownHosts</code>.
It’s a good idea to add the host key (which got printed during creation) to your known_hosts file e.g. <code>~/.ssh/known_hosts</code> or <code>services.openssh.knownHosts</code>.
Line 24: Line 24:
boot.initrd.network.ssh = {
boot.initrd.network.ssh = {
   enable = true;
   enable = true;
  port = 22;
   authorizedKeys = &quot;ssh-rsa AAAAyourpublic-key-here....&quot;;
   authorizedKeys = &quot;ssh-rsa AAAAyourpublic-key-here....&quot;;
   port = 22;
   hostECDSAKey = /path/to/host_ecdsa_key;
};
};
boot.initrd.network.ssh.hostECDSAKey = /home/tony/tor/host_ecdsa_key; # maybe find a better place for that file</pre>
 
A small thing is still missing. Most likely your network card is not working without a module, so you have to find out which module is used for your network. I use <code>lspci -v</code> for that.
Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v</code> for that.


<pre>boot.initrd.availableKernelModules = [ &quot;r8169&quot; ];</pre>
<pre>boot.initrd.availableKernelModules = [ &quot;r8169&quot; ];</pre>
Voila ssh should work now.


== Tor in initrd ==
== Tor in initrd ==
Anonymous user
Retrieved from "https://wiki.nixos.org/wiki/Special:MobileDiff/7668"