archlinux-initrd-ssh-cryptsetup

Go to file

Julien Coloos 3449995d4a Use SHA256 checksums instead of MD5 v0.9-2		2021-11-12 19:25:06 +01:00
src	Use SHA256 checksums instead of MD5	2021-11-12 19:25:06 +01:00
ChangeLog	Use SHA256 checksums instead of MD5	2021-11-12 19:25:06 +01:00
LICENSE	Initial commit	2014-05-19 22:46:59 +02:00
PKGBUILD	Use SHA256 checksums instead of MD5	2021-11-12 19:25:06 +01:00
README.md	Use SHA256 checksums instead of MD5	2021-11-12 19:25:06 +01:00
initrd-ssh-cryptsetup.install	Handle optional ipconfig timeout	2015-11-22 18:54:57 +01:00

README.md

Personal ArchLinux package combining dropbear and cryptsetup in initrd for unlocking LUKS-encrypted devices either locally (boot console) or remotely over SSH.
The code was reworked from legacy dropbear_initrd_encrypt AUR package.

Installation

After cloning the repo, installation is done as for an AUR package, e.g.:

makepkg -sri

Dropbear

SSH server key need to be generated for dropbear.
Either a new key can be generated with dropbearkey, e.g.:

dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key

Or an existing OpenSSH key can be converted with dropbearconvert (useful so that the server fingerprint is the same with both), e.g.:

dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key

Notes:

rsa and ed25519 types are also handled
OpenSSH keys must be in PEM format for dropbearconvert to properly work

If necessary an existing key file can be converted to PEM format using ssh-keygen:

ssh-keygen -A -p -m PEM -f /etc/ssh/ssh_host_ecdsa_key

Configuration

As explained upon installation, the following things need to be done:

add the authorized SSH public key to /etc/dropbear/initrd.authorized_keys
add the ip= kernel command parameter to the bootloader configuration (see https://wiki.archlinux.org/index.php/Mkinitcpio#Using_net)
- e.g. with grub: add ip=:::::eth0:dhcp to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub, and re-generate the configuration with grub-mkconfig -o /boot/grub/grub.cfg
- also see https://git.kernel.org/pub/scm/libs/klibc/klibc.git/tree/usr/kinit/ipconfig/README.ipconfig
in the HOOKS section of /etc/mkinitcpio.conf, add ssh-cryptsetup before filesystems; then rebuild the initramfs: mkinitcpio -p linux
- when using a non-standard keyboard layout, it is also useful to add the keymap hook before ssh-cryptsetup, and also move keyboard before keymap

The LUKS-encrypted devices to unlock are derived from /etc/crypttab.

Some options can be set in /etc/initcpio/sshcs_env (file is sourced in initrd shell):

sshcs_opt_debug: whether to be more verbose about ongoing actions
- default: 0
- any non-zero value to enable
sshcs_opt_timeout_ipconfig: time (in seconds) to configure IP
- default: 10 seconds
sshcs_opt_listen: SSH listening port
- default: 22
sshcs_opt_timeout_poweroff: time (in seconds) to unlock devices before automatic powering off
- default (and minimum value): 2 minutes
- negative value to deactivate

For example:

sshcs_opt_timeout_ipconfig=30
sshcs_opt_listen=2222
sshcs_opt_timeout_poweroff=-1

Building notes

Modify the sources (features in src, and/or package building files)
If src was modified
- archive the src folder in $pkgname-$pkgver.tar.xz file; e.g.: tar -cJf initrd-ssh-cryptsetup-0.9.tar.xz src
- upload the archive on the online repository (pointed by PKGBUILD)
Update ChangeLog
Update PKGBUILD
- bump pkgver if src was modified, or pkgrel if building files were modified
- refresh sha256sums with updpkgsums if necessary
  - or manually, based on sha256sum initrd-ssh-cryptsetup-*.tar.xz initrd-ssh-cryptsetup.install output
Delete generated archive file if any