1.7 KiB
1.7 KiB
creation date | tags | |||||
---|---|---|---|---|---|---|
2022-07-18 |
|
Remote unlocking at boot
Guide borrowed from https://linux.fernandocejas.com/docs/guides/decrypt-luks-partition-remotely-via-ssh.
- Install
pacman -S mkinitcpio-systemd-tool busybox cryptsetup openssh tinyssh tinyssh-convert mc
- Edit
/etc/mkinitcpio.conf
HOOKS=(.... systemd systemd-tool)
# find out network device with lspci -k looking for "Kernel driver in use: ..."
MODULES=(r8169)
- Copy root only entry
/etc/fstab
to/etc/mkinitcpio-systemd-tool/config/fstab
, e.g. withcat /etc/fstab >> /etc/mkinitcpio-systemd-tool/config/fstab
and remove any unnecessary (non-root) definitions - Copy cryptsetup entries from
/etc/crypttab
to/etc/mkinitcpio-systemd-tool/config/crypttab
, e.g. withcat /etc/crypttab >> /etc/mkinitcpio-systemd-tool/config/crypttab
. Remember to set method tonone
(for password ask) - Enable necessary
systemd-tool
services
systemctl enable initrd-cryptsetup.path
systemctl enable initrd-tinysshd
systemctl enable initrd-debug-progs
systemctl enable initrd-sysroot-mount
- Adapt
/etc/mkinitcpio-systemd-tool/network/initrd-network.network
to your liking, but ensure that you probably wanteth*
as match for ethernet and you probably want to assign a fixed IP address
[Match]
Name=eth*
[Network]
Address=192.168.1.2/24
Gateway=192.168.1.1
DNS=1.1.1.1
- Only ED25519 is supported by tinyssh, so ensure to generate one and add the public key to remote's
/root/.ssh/authorized_keys
ssh-keygen -t ed25519 -C "remote-unlocking-HOSTNAME@local-hostname"
- Generate initramfs with
mkinitcpio -P
and watch out for errors, fix them before reboot!