1
0
Fork 0
knowledge-base/KB/Linux/Server/Remote unlocking at boot.md

1.7 KiB

creation date tags
2022-07-18
ssh
cryptsetup
remote
unlock
crypt

Remote unlocking at boot

Guide borrowed from https://linux.fernandocejas.com/docs/guides/decrypt-luks-partition-remotely-via-ssh.

  1. Install pacman -S mkinitcpio-systemd-tool busybox cryptsetup openssh tinyssh tinyssh-convert mc
  2. Edit /etc/mkinitcpio.conf
HOOKS=(.... systemd systemd-tool)

# find out network device with lspci -k looking for "Kernel driver in use: ..."
MODULES=(r8169)
  1. Copy root only entry /etc/fstab to /etc/mkinitcpio-systemd-tool/config/fstab, e.g. with cat /etc/fstab >> /etc/mkinitcpio-systemd-tool/config/fstab and remove any unnecessary (non-root) definitions
  2. Copy cryptsetup entries from /etc/crypttab to /etc/mkinitcpio-systemd-tool/config/crypttab, e.g. with cat /etc/crypttab >> /etc/mkinitcpio-systemd-tool/config/crypttab. Remember to set method to none (for password ask)
  3. Enable necessary systemd-tool services
systemctl enable initrd-cryptsetup.path
systemctl enable initrd-tinysshd
systemctl enable initrd-debug-progs
systemctl enable initrd-sysroot-mount
  1. Adapt /etc/mkinitcpio-systemd-tool/network/initrd-network.network to your liking, but ensure that you probably want eth* as match for ethernet and you probably want to assign a fixed IP address
[Match]
Name=eth*

[Network]
Address=192.168.1.2/24
Gateway=192.168.1.1
DNS=1.1.1.1
  1. Only ED25519 is supported by tinyssh, so ensure to generate one and add the public key to remote's /root/.ssh/authorized_keys
ssh-keygen -t ed25519 -C "remote-unlocking-HOSTNAME@local-hostname"
  1. Generate initramfs with mkinitcpio -P and watch out for errors, fix them before reboot!