Remote unlocking
Secure your remote drives
When you have the good habit of encrypting every disk you use, it’s not always as easy as entering the password or unlocking it with a physical device. What happens if you encrypt your home-lab (without a monitor) or a remote server that you don’t have access to?
Well we need early access to the server, Dropbear to the rescue, installing that “mini ssh server” inside initrd does the trick.
Basically, we need:
- Have the SSH keys on our remote server (obviously).
- Configure a different port than the default for SSH (believe me, it’s easier for troubleshooting).
- Load the driver for our network device (we’re in the initrd).
- Know the IP of our server.
And that’s it.
This is a practical example of a server within my home-lab
{...}: {
boot.kernelParams = ["ip=dhcp"];
boot.initrd = {
availableKernelModules = ["r8169"];
systemd.users.root.shell = "/bin/cryptsetup-askpass";
network = {
enable = true;
ssh = {
enable = true;
port = 31337;
authorizedKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOD+PjILkShGsDvqChmZzVzDbExoENsKlsPEqHxnr4PN wv@linux.com"];
hostKeys = ["/etc/secrets/initrd/ssh_host_rsa_key"];
};
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
};
}
Get your driver with:
nix shell nixpkgs#inxi -c inxi -n
SSH Keys:
sudo mkdir -p /etc/secrets/initrd/
ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
postCommands is just for the laziness of not typing the command manually
Now you can ping your server and when you got a response:
ssh root@192.168.1.123 -p 31337 -i ~/.ssh/id_ed25519
Enter your password…
Done, disk unlocked