Regarding dracut-crypt-ssh

General system EndeavourOS installation
1

I’d love to be able to use dropbear-ssh to remotely decrypt the LUKs on a freshly powered-on machine

I’m trying to install this package:

http://aur.archlinux.org/packages/dracut-crypt-ssh

and I’ve added:

add_dracutmodules+= " network dropbear crypt-ssh "

to /etc/dracut.conf.d/eos-defaults.conf

Having no luck, dracut-rebuild works fine however the device is clearly not on the network while it’s at the LUKS passphrase prompt on the screen.

Note: I am not locked out of the machine, just trying to get this working…

Is this related to /boot/efi being on it’s own FAT32 partition, but /boot is inherited from the encrypted LUKs partition?

2

Did you remove network from omit_dracutmodules? By default we disable network in the initrd.

Sort of. When you use grub, it is grub that is doing the initial decryption, not dracut.

Under grub, you probably need an unencrypted /boot for that to work the way you want.

You could create a 1GiB ext4 partition and mount it at /boot

1 Like
3

I saw " network " in the omit section and removed it.

my EFI partition is 1 GB, I could move things around, but do I really want to put the kernel+ramdisk images there?

4

There are pros and cons to an unencrypted kernels/initrds.

The positives are:

  • Decrypting will be orders of magnitude faster
  • You are only decrypting once instead of twice
  • You can use plymouth to have a more attractive unlock screen
  • You have access to the initrd during decryption(useful if you need the network for example)

The negatives:

  • If you want to rollback snapshots, it is a more complicated process because the kernel/initrds are not part of your snapshot
  • If you have multiple luks partitions, they won’t be automatically unlocked by the initrd
  • There is a theoretical lowering of security because your initrd is unencrypted. I say theoretical because it seems like a pretty unlikely attack vector.

If you do decide to move to an unencrypted /boot, be sure to remove the keyfile from your initrd. If you don’t, your machine will unlock without asking you for a password which probably isn’t what you want. :sweat_smile:

1 Like
5

Thanks for the response. I might just try USB keyboard emulation on a pi or something.

This machine doesn’t have the RS232 port open but I’m wondering if the UEFI boot sends stuff out the serial port as another option.

1 Like
6

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.