archlinux-initrd-ssh-crypts.../README.md

Personal ArchLinux package combining dropbear and cryptsetup in initrd for unlocking LUKS-encrypted devices either locally (boot console) or remotely over SSH.
The code was reworked from [dropbear_initrd_encrypt](https://aur.archlinux.org/packages/dropbear_initrd_encrypt/).


## Installation
After cloning the repo, installation is done as for an AUR package.


## Configuration
As explained upon installation, the following things need to be done:
   * add the SSH public key to `/etc/dropbear/initrd.authorized_keys`
   * add the `ip=` kernel command parameter to the bootloader configuration (see https://wiki.archlinux.org/index.php/Mkinitcpio#Using_net)
   * in the `HOOKS` section of `/etc/mkinitcpio.conf`, add `ssh-cryptsetup` before `filesystems`; then rebuild the initramfs: `mkinitcpio -p linux`

The LUKS-encrypted devices to unlock are derived from `/etc/crypttab`.


Some options can be set in `/etc/initcpio/sshcs_env` (file is sourced in initrd shell):
   * `sshcs_opt_debug`: whether to be more verbose about ongoing actions
      - default: 0
      - any non-zero value to enable
   * `sshcs_opt_timeout_ipconfig`: time (in seconds) to configure IP
      - default: 10 seconds
   * `sshcs_opt_listen`: SSH listening port
      - default: 22
   * `sshcs_opt_timeout_poweroff`: time (in seconds) to unlock devices before automatic powering off
      - default (and minimum value): 2 minutes
      - negative value to deactivate

For example:

    sshcs_opt_timeout_ipconfig=30
    sshcs_opt_listen=2222
    sshcs_opt_timeout_poweroff=-1


## Building notes
1. Modify the sources (features in `src`, and/or package building files)
2. If `src` was modified
   * archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.4.tar.xz src`
   * upload the archive on the online repository (pointed by `PKGBUILD`)
3. Update `PKGBUILD`
   * bump `pkgver` if `src` was modified, or `pkgrel` if building files were modified
   * refresh `md5sums` if necessary (based on `md5sum initrd-ssh-cryptsetup-*.tar.xz initrd-ssh-cryptsetup.install` output)
4. Delete generated archive file if any
Initial commit 2014-05-20 00:46:59 +04:00			`Personal ArchLinux package combining dropbear and cryptsetup in initrd for unlocking LUKS-encrypted devices either locally (boot console) or remotely over SSH.`
			`The code was reworked from [dropbear_initrd_encrypt](https://aur.archlinux.org/packages/dropbear_initrd_encrypt/).`


			`## Installation`
			`After cloning the repo, installation is done as for an AUR package.`


			`## Configuration`
			`As explained upon installation, the following things need to be done:`
Fixed TRIM option handling in /etc/crypttab 'discard' ('allow-discards' being the switch name to use in cryptsetup) v0.4-1 2017-06-25 19:22:53 +03:00			* add the SSH public key to `/etc/dropbear/initrd.authorized_keys`
			* add the `ip=` kernel command parameter to the bootloader configuration (see https://wiki.archlinux.org/index.php/Mkinitcpio#Using_net)
			* in the `HOOKS` section of `/etc/mkinitcpio.conf`, add `ssh-cryptsetup` before `filesystems`; then rebuild the initramfs: `mkinitcpio -p linux`
Initial commit 2014-05-20 00:46:59 +04:00
			The LUKS-encrypted devices to unlock are derived from `/etc/crypttab`.

Configurable timeout before automatic poweroff 2014-05-21 00:39:32 +04:00
Handle optional ipconfig timeout Specify timeout for ipconfig so that we can still boot while network is done. Otherwise ipconfig remains stuck (until IP can be configured). If not given we default to 10s. Minor code refactoring. Moved configuration file from /etc/dropbear/initrd.env to /etc/initcpio/sshcs_env since it now contains options for ipconfig and not only dropbear. Package installation script move legacy file to new path if present. v0.3-1 2015-11-22 20:53:37 +03:00			Some options can be set in `/etc/initcpio/sshcs_env` (file is sourced in initrd shell):
Fix cryptsetup additional arguments handling Quoting used in script prevented them ot be properly passed. Also added a debug mode to print some more messages about ongoing actions. 2017-06-25 21:07:07 +03:00			* `sshcs_opt_debug`: whether to be more verbose about ongoing actions
			`- default: 0`
			`- any non-zero value to enable`
Fixed TRIM option handling in /etc/crypttab 'discard' ('allow-discards' being the switch name to use in cryptsetup) v0.4-1 2017-06-25 19:22:53 +03:00			* `sshcs_opt_timeout_ipconfig`: time (in seconds) to configure IP
			`- default: 10 seconds`
			* `sshcs_opt_listen`: SSH listening port
			`- default: 22`
			* `sshcs_opt_timeout_poweroff`: time (in seconds) to unlock devices before automatic powering off
			`- default (and minimum value): 2 minutes`
			`- negative value to deactivate`
Configurable timeout before automatic poweroff 2014-05-21 00:39:32 +04:00
Initial commit 2014-05-20 00:46:59 +04:00			`For example:`

Handle optional ipconfig timeout Specify timeout for ipconfig so that we can still boot while network is done. Otherwise ipconfig remains stuck (until IP can be configured). If not given we default to 10s. Minor code refactoring. Moved configuration file from /etc/dropbear/initrd.env to /etc/initcpio/sshcs_env since it now contains options for ipconfig and not only dropbear. Package installation script move legacy file to new path if present. v0.3-1 2015-11-22 20:53:37 +03:00			`sshcs_opt_timeout_ipconfig=30`
Initial commit 2014-05-20 00:46:59 +04:00			`sshcs_opt_listen=2222`
Configurable timeout before automatic poweroff 2014-05-21 00:39:32 +04:00			`sshcs_opt_timeout_poweroff=-1`
Initial commit 2014-05-20 00:46:59 +04:00
Fixed TRIM option handling in /etc/crypttab 'discard' ('allow-discards' being the switch name to use in cryptsetup) v0.4-1 2017-06-25 19:22:53 +03:00
			`## Building notes`
			1. Modify the sources (features in `src`, and/or package building files)
			2. If `src` was modified
			* archive the `src` folder in `$pkgname-$pkgver.tar.xz` file; e.g.: `tar -cJf initrd-ssh-cryptsetup-0.4.tar.xz src`
			* upload the archive on the online repository (pointed by `PKGBUILD`)
			3. Update `PKGBUILD`
			* bump `pkgver` if `src` was modified, or `pkgrel` if building files were modified
			* refresh `md5sums` if necessary (based on `md5sum initrd-ssh-cryptsetup-*.tar.xz initrd-ssh-cryptsetup.install` output)
			`4. Delete generated archive file if any`