46 lines
1.7 KiB
Markdown
46 lines
1.7 KiB
Markdown
---
|
|
creation date: 2022-07-18
|
|
tags: [ssh,cryptsetup,remote,unlock,crypt]
|
|
---
|
|
|
|
# Remote unlocking at boot
|
|
|
|
Guide borrowed from https://linux.fernandocejas.com/docs/guides/decrypt-luks-partition-remotely-via-ssh.
|
|
|
|
1. Install `pacman -S mkinitcpio-systemd-tool busybox cryptsetup openssh tinyssh tinyssh-convert mc`
|
|
2. Edit `/etc/mkinitcpio.conf`
|
|
|
|
```shell
|
|
HOOKS=(.... systemd systemd-tool)
|
|
|
|
# find out network device with lspci -k looking for "Kernel driver in use: ..."
|
|
MODULES=(r8169)
|
|
```
|
|
3. Copy _root_ only entry `/etc/fstab` to `/etc/mkinitcpio-systemd-tool/config/fstab`, e.g. with `cat /etc/fstab >> /etc/mkinitcpio-systemd-tool/config/fstab` and remove any unnecessary (non-root) definitions
|
|
4. Copy _cryptsetup_ entries from `/etc/crypttab` to `/etc/mkinitcpio-systemd-tool/config/crypttab`, e.g. with `cat /etc/crypttab >> /etc/mkinitcpio-systemd-tool/config/crypttab`. Remember to set method to `none` (for password ask)
|
|
5. Enable necessary `systemd-tool` services
|
|
|
|
```shell
|
|
systemctl enable initrd-cryptsetup.path
|
|
systemctl enable initrd-tinysshd
|
|
systemctl enable initrd-debug-progs
|
|
systemctl enable initrd-sysroot-mount
|
|
```
|
|
6. Adapt `/etc/mkinitcpio-systemd-tool/network/initrd-network.network` to your liking, but ensure that you probably want `eth*` as match for ethernet and you probably want to assign a fixed IP address
|
|
|
|
```shell
|
|
[Match]
|
|
Name=eth*
|
|
|
|
[Network]
|
|
Address=192.168.1.2/24
|
|
Gateway=192.168.1.1
|
|
DNS=1.1.1.1
|
|
```
|
|
|
|
7. Only ED25519 is supported by tinyssh, so ensure to generate one and add the public key to remote's `/root/.ssh/authorized_keys`
|
|
|
|
```shell
|
|
ssh-keygen -t ed25519 -C "remote-unlocking-HOSTNAME@local-hostname"
|
|
```
|
|
9. Generate initramfs with `mkinitcpio -P` and watch out for errors, fix them before reboot!
|