Jump to content

Remote disk unlocking: Difference between revisions

Remote disk unlocking (view source)

Revision as of 13:12, 19 February 2024

417 bytes removed ,  19 February
Restructuring
VisualWikitext
imported>Skarlett
mNo edit summary
imported>Onny
(Restructuring)
Line 1: Line 1:
= Unlocking your LUKS via SSH and Tor =
If you want to unlock your computer remotely via SSH or even through Tor, and you are facing the problem, that you can’t reach your computer before your computer is unlocked. Tor will help you to reach your computer, even during the boot process.


If you want to unlock your computer remotely, and you are facing the problem, that you can’t reach your computer before your computer is unlocked, Tor will help you to reach your computer, even during the boot process.
== Setup ==


== SSH in initrd ==
Generate host key for the SSH daemon which will run in initrd during boot


=== Prepare SSH host keys ===
<syntaxhighlight lang="bash">
# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
</syntaxhighlight>


It is very important that you create your SSH host keys upfront, otherwise you end up connecting to a server on the internet and typing in your disk encryption password without authenticating the machine on the remote end!
Enable SSH daemon in initrd


To create a hostkey run
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
 
boot.kernelParams = [ "ip=dhcp" ];
<pre>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key</pre>
boot.initrd.network = {
 
or
 
<pre>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key</pre>
 
==== Known hosts ====
 
It’s a good idea to add the host key (which got printed during creation) to your known_hosts file e.g. <code>~/.ssh/known_hosts</code> or <code>services.openssh.knownHosts</code>.
 
=== Set up SSH in initrd ===
 
Setting up ssh is very easy.
 
<pre># ssh setup
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
   enable = true;
   enable = true;
   port = 22;
   network.ssh = {
  shell = "/bin/cryptsetup-askpass";
    enable = true;
  authorizedKeys = [ &quot;ssh-rsa AAAAyourpublic-key-here....&quot; ];
    port = 22;
  hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" "/etc/secrets/initrd/ssh_host_ed25519_key" ];
    shell = "/bin/cryptsetup-askpass";
    authorizedKeys = [ "ssh-rsa AAAAyourpublic-key-here..." ];
    hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ];
};
};
</pre>
</nowiki>}}
 
Add the SSH public keys for the users which should be able to authenticate to the SSH daemon to the <code>authorizedKeys</code> option.


The <code>shell</code> option is necessary to get a password prompt instead of a shell.
The <code>shell</code> option is necessary to get a password prompt instead of a shell.
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password.
If you omit it, you will get dropped into <code>/bin/ash</code>, and you will have to manually run <code>cryptsetup-askpass</code> to enter the password.


Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.  
Alternatively, the <code>shell</code> option can be set to <code>/bin/conspy</code> for passwords which expect stdin. This binary included by default, and provided by busybox.
 
You will also need to configure either a static IP address or DHCP. You can do this with the <code>ip=</code> kernel parameter. See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter.
 
=== Network card drivers ===


=== Set up network in initrd ===
Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that.
Most likely your network card is not working without its kernel module being part of the initrd, so you have to find out which module is used for your network. Use <code>lspci -v | grep -iA8 'network\|ethernet'</code> for that.


<pre>boot.initrd.availableKernelModules = [ &quot;r8169&quot; ];</pre>
<pre>boot.initrd.availableKernelModules = [ &quot;r8169&quot; ];</pre>


You will also need to configure either a static IP address or DHCP. You can do this with the <code>ip=</code> kernel parameter.
== Tips and tricks ==


<pre>boot.kernelParams = [ &quot;ip=dhcp&quot; ];</pre>
=== Tor in initrd ===


See [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt the kernel documentation] for more information on the <code>ip=</code> parameter.
An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/stockholm/tree/krebs/2configs/tor/initrd.nix?id=9919cb25912dfcc50881239f95494dd2f8e7b858 krebs/2configs/tor/initrd.nix in stockholm]
 
== Tor in initrd ==


=== Prepare the Onion ID ===
==== Prepare the Onion ID ====


You need 3 files to create an onion id (a.k.a. tor hidden service).
You need 3 files to create an onion id (a.k.a. tor hidden service).
Line 83: Line 74:
Hit <code>Ctrl-C</code> and the files you need, should be in <code>/home/tony/tor/onion</code>.
Hit <code>Ctrl-C</code> and the files you need, should be in <code>/home/tony/tor/onion</code>.


=== Setup Tor ===
==== Setup Tor ====


Now that you have your 3 files, you have to script a bit, but it’s not too complicated.
Now that you have your 3 files, you have to script a bit, but it’s not too complicated.
Line 121: Line 112:
That was it. Tor should be running during your boot process.
That was it. Tor should be running during your boot process.


=== Setup haveged ===
==== Setup haveged ====


If your system doesn't gather enough entropy the startup time of tor is rather long (2:42 vs 0:06 on a RPi 4b). Counter it by starting <code>haveged</code>.
If your system doesn't gather enough entropy the startup time of tor is rather long (2:42 vs 0:06 on a RPi 4b). Counter it by starting <code>haveged</code>.
Line 136: Line 127:
</pre>
</pre>


=== Setup ntpdate ===
==== Setup ntpdate ====


If your system doesn't utilize a RTC you've to ensure time is correctly set before startup of tor.
If your system doesn't utilize a RTC you've to ensure time is correctly set before startup of tor.
Line 153: Line 144:
</pre>
</pre>


== Unlock your LUKS via SSH and Tor ==
==== Usage ====


When your computer boots, and asks for the LUKS password. Now you can unlock your encrypted Hard drive using:
When your computer boots, and asks for the LUKS password. Now you can unlock your encrypted Hard drive using:


<pre>torify ssh root@&lt;onion.id&gt;.onion -p 22 'my-secret-password'</pre>
<pre>torify ssh root@&lt;onion.id&gt;.onion -p 22 'my-secret-password'</pre>
== Example ==
An example with an ssh server listening at a tor hidden service address can be found at [https://cgit.euer.krebsco.de/stockholm/tree/krebs/2configs/tor/initrd.nix?id=9919cb25912dfcc50881239f95494dd2f8e7b858 krebs/2configs/tor/initrd.nix in stockholm]
Anonymous user
Retrieved from "https://wiki.nixos.org/wiki/Special:MobileDiff/7680"