Zem
Page
  • Show pagesource
  • Old revisions
  • Backlinks
  • Back to top
    • Site
  • Recent Changes
  • Media Manager
  • Sitemap
    • User
  • Register

    • Page tools

  • Show pagesource
  • Old revisions
  • Backlinks
  • Back to top

    • Site tools

  • Recent Changes
  • Media Manager
  • Sitemap

    • User tools

  • Register
    •
    You are here: start » tips » luks

    **This is an old revision of the document!**

    Linux Disk Encrpytion

    Remote unlocking at boot

    Problem

    If you have a encrpyted root partition, it usually requires access to the console to enter the passsphrase.

    Even if you have the root partition unencrypted and have you sensitive data on a different encrypted partition, that you manually mount after SSH is available. You still have to deal with starting services after said manual mount.

    There are a number of remote unlocking tools (luksrku, mandos, tang/clevis), which attempt to solve this problem, by having a service running a trusted network to provide the decryption key. While this may be suitable for larger environments, I needed something simplier, suited for a handful of machines.

    Solution

    I decided to use dropbear to run an SSH daemon in the initrd, then being able to SSH in and unlock all the devices in the initrd, before starting the root pivot.

    This then allows the usual systemd init system to start services. Without needing to implement any custom service starting.

    Implementation

    Info

    The following applies to Ubuntu 20.04, different distributions may vary

    Warning

    Cryptab format varies between distros and programs (systemd / Debian initrd), therefore be wary of alternative formatting described elsewhere

    Dropbear

    The dropbear SSH daemon can be installed in the initrd by: 

    apt-get install dropbear-initramfs

    Password authentication is disabled, therefore you need to add your authorizedkeys to /etc/dropbear/initramfs/authorizedkeys

    Dropbear options can be added to DROPBEAR_OPTIONS in /etc/dropbear/initramfs/dropbear.conf. See man dropbear(8) for more details.

    Networking

    Configuring networking in the initrd, is the same as documented for configuring NFS root booting. Upstream docs can be found at https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt , under the ip parameter.

    This matches the IP= option placed in /etc/initramfs-tools/initramfs.conf. e.g. 

    IP=10.42.2.100::10.42.2.250:255.255.255.0:frank:eno1

    Networking persists to the OS booting, which is good if your configuration is the same.

    In my case, the IP in the full OS should be on a bridg ise device (br0), not eno1 as it is in the initrd. The simplest solution is to remove the networking configuration as the initrd pivots and let netplan bring up the new configuration as the OS boots.

    To remove the initrd networking, add the following script as /etc/initramfs-tools/scripts/init-bottom/remove-networking.sh: 

    


    
                    
    


                 
    
                tips/luks.1678140716.txt.gz · Last modified:  (external edit)