--- creation date: 2022-07-18 tags: [ssh,cryptsetup,remote,unlock,crypt] --- # Remote unlocking at boot Guide borrowed from https://linux.fernandocejas.com/docs/guides/decrypt-luks-partition-remotely-via-ssh. 1. Install `pacman -S mkinitcpio-systemd-tool busybox cryptsetup openssh tinyssh tinyssh-convert mc` 2. Edit `/etc/mkinitcpio.conf` ```shell HOOKS=(.... systemd systemd-tool) # find out network device with lspci -k looking for "Kernel driver in use: ..." MODULES=(r8169) ``` 3. Copy _root_ only entry `/etc/fstab` to `/etc/mkinitcpio-systemd-tool/config/fstab`, e.g. with `cat /etc/fstab >> /etc/mkinitcpio-systemd-tool/config/fstab` and remove any unnecessary (non-root) definitions 4. Copy _cryptsetup_ entries from `/etc/crypttab` to `/etc/mkinitcpio-systemd-tool/config/crypttab`, e.g. with `cat /etc/crypttab >> /etc/mkinitcpio-systemd-tool/config/crypttab`. Remember to set method to `none` (for password ask) 5. Enable necessary `systemd-tool` services ```shell systemctl enable initrd-cryptsetup.path systemctl enable initrd-tinysshd systemctl enable initrd-debug-progs systemctl enable initrd-sysroot-mount ``` 6. Adapt `/etc/mkinitcpio-systemd-tool/network/initrd-network.network` to your liking, but ensure that you probably want `eth*` as match for ethernet and you probably want to assign a fixed IP address ```shell [Match] Name=eth* [Network] Address=192.168.1.2/24 Gateway=192.168.1.1 DNS=1.1.1.1 ``` 7. Only ED25519 is supported by tinyssh, so ensure to generate one and add the public key to remote's `/root/.ssh/authorized_keys` ```shell ssh-keygen -t ed25519 -C "remote-unlocking-HOSTNAME@local-hostname" ``` 9. Generate initramfs with `mkinitcpio -P` and watch out for errors, fix them before reboot!