Control: retitle -1 cryptsetup: Update remote unlocking documentation following the dropbear 2015.70-1 release
In fact dropbear-initramfs now (since 2015.70-1) ships the dropbear-specific initramfs configuration under /usr/share/doc/dropbear-initramfs/README.initramfs. I therefore updated the patch to remove dropbear-specific configuration from d/README.Debian, remove d/README.remote all together, and point to dropbear-initramfs instead. -- Guilhem.
From 5acc4c2b5ba1b34c2ffe755d08358f11d34fd8a6 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guil...@guilhem.org>
Date: Mon, 12 Oct 2015 21:13:31 +0200
Subject: [PATCH 1/3] Update remote unlocking via SSH due to the new dropbear
release.
---
debian/README.Debian | 62 +++++++++-----------------------
debian/README.remote | 96 --------------------------------------------------
debian/cryptsetup.docs | 1 -
3 files changed, 16 insertions(+), 143 deletions(-)
delete mode 100644 debian/README.remote
diff --git a/debian/README.Debian b/debian/README.Debian
index cf4927b..9be59d0 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -202,68 +202,38 @@ nor in askpass.
8. Remotely unlock encrypted rootfs
-----------------------------------
- Thanks to Chris <deb...@x.ray.net> it's possible to install a dropbear ssh
-server into the initramfs, connect to this ssh server during execution of
+ Thanks to Chris <deb...@x.ray.net> it's possible to install a dropbear SSH
+server into the initramfs, connect to this SSH server during execution of
initramfs early in the boot process, and unlock encrypted devices - even the
root device - before the boot process continues.
This way it is possible to use an encrypted root filesystem on headless
systems where no physical access is available during boot process.
- Dropbear 0.52-1 is required for this to work. Thankfully this version
-configures everything automatically, so all you have to do after installing
-dropbear on the remote system, is to copy the root ssh keyfile from
-/etc/initramfs/root/ssh/id_rsa to your local system:
+ Dropbear 0.52-1 or later is required for this to work. (Since 2015.68-1 the
+functionality has its own binary package 'dropbear-initramfs'.) Consult
+/usr/share/doc/dropbear-initramfs/README.initramfs from the dropbear-initramfs
+package for information how to install and configure the dropbear SSH server
+into the initramfs.
-$ scp remote.system.com:/etc/initramfs/root/ssh/id_rsa remote_rsa
+ You can then unlock the disk remotely via SSH with
- The remote system should start dropbear automatically during the boot
-process's initramfs execution making it possible to ssh to the remote
-system and supply the rootfs passphrase. Because the initramfs is
-kept in an unencrypted partition the default dropbear configuration
-uses a different host key in the initramfs than the remote system's
-normal host key. This means some care must be taken when connecting
-to the remote system so that host key checking does not interfere with
-ssh connection establishment. When using the OpenSSH client either
-the "-o StrictHostKeyChecking=no" or the "-o
-UserKnownHostsFile=alternate_known_hosts" options are some available
-choices.
+$ ssh -tF ~/.luks/ssh.conf r...@remote.system.com unlock
- You can login into the initramfs via ssh (modified per above)
+ Or, using a local gpg-encrypted key file:
-$ ssh -i remote_rsa -l root remote.system.com
-
- and echo the passphrase to a fifo file on the remote system:
-
-# echo -n "my_secret_passphrase" > /lib/cryptsetup/passfifo
+$ gpg --decrypt ~/.luks/remote.key.gpg | ssh -TF ~/.luks/ssh.conf r...@remote.system.com unlock
That's it. Now that the encrypted root device is unlocked, the remote system
should continue with the boot process.
- If the remote system has a network configuration at boot (via ip= on the
-kernel command line) which differs from the network configuration normally
-used, the network interfaces will need to be brought down after the rootfs is
-mounted. Without this step the normal boot process will be unable to properly
-reconfigure the network interfaces. To do this take the following steps.
-
-# mkdir -p /etc/initramfs-tools/conf.d
-# cp -a /usr/share/initramfs-tools/conf.d/dropbear \
- /etc/initramfs-tools/conf.d/
-
-Then edit /etc/initramfs-tools/conf.d/dropbear to specify the network
-interfaces to be brought down.
-
- Should it be desirable to have the remote system use the same host key
-during the boot process as during regular system operation the
-following steps may be taken.
+ You can also use the following authorized_keys(5) options in
+/etc/initramfs-tools/root/.ssh/authorized_keys to restrict access and avoid
+users poking around:
-# cp -a /etc/dropbear/dropbear_{dsa,rsa}_host_key \
- /etc/initramfs-tools/etc/dropbear/
-# update-initramfs -u -k all
+no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/unlock" ssh-rsa ...
- /usr/share/doc/cryptsetup/README.remote.gz is a documentation with more
-details on the setup of an initramfs with suppurt to remotely unlock the
-encrypted rootfs.
+(Be sure to rebuild the initrd afterwards: `update-initramfs -u -k all`.)
9. Backup the LUKS header
diff --git a/debian/README.remote b/debian/README.remote
deleted file mode 100644
index 856bd97..0000000
--- a/debian/README.remote
+++ /dev/null
@@ -1,96 +0,0 @@
-unlocking rootfs via ssh login in initramfs
--------------------------------------------
-
-You can unlock your rootfs on bootup from remote, using ssh to log in to the
-booting system while it's running with the initramfs mounted.
-
-
-Setup
------
-
-For remote unlocking to work, the following packages have to be installed
-before building the initramfs: dropbear busybox
-
-The file /etc/initramfs-tools/initramfs.conf holds the configuration options
-used when building the initramfs. It should contain BUSYBOX=y (this is set as
-the default when the busybox package is installed) to have busybox installed
-into the initramfs, and should not contain DROPBEAR=n, which would disable
-installation of dropbear to initramfs. If set to DROPBEAR=y, dropbear will
-be installed in any case; if DROPBEAR isn't set at all, then dropbear will only
-be installed in case of an existing cryptroot setup.
-
-The host keys used for the initramfs are dropbear_dss_host_key and
-dropbear_rsa_host_key, both located in/etc/initramfs-tools/etc/dropbear/.
-If they do not exist when the initramfs is compiled, they will be created
-automatically. Following are the commands to create them manually:
-
-# dropbearkey -t dss -f /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
-# dropbearkey -t rsa -f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
-
-As the initramfs will not be encrypted, publickey authentication is assumed.
-The key(s) used for that will be taken from
-/etc/initramfs-tools/root/.ssh/authorized_keys.
-If this file doesn't exist when the initramfs is compiled, it will be created
-and /etc/initramfs-tools/root/.ssh/id_rsa.pub will be added to it.
-If the latter file doesn't exist either, it will be generated automatically -
-you will find the matching private key which you will later need to log in to
-the initramfs under /etc/initramfs-tools/root/.ssh/id_rsa (or id_rsa.dropbear
-in case you need it in dropbear format). Following are the commands to do the
-respective steps manually:
-
-To create a key (in dropbear format):
-
-# dropbearkey -t rsa -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear
-
-To convert the key from dropbear format to openssh format:
-
-# /usr/lib/dropbear/dropbearconvert dropbear openssh \
- /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
- /etc/initramfs-tools/root/.ssh/id_rsa
-
-To extract the public key:
-
-# dropbearkey -y -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear | \
- grep "^ssh-rsa " > /etc/initramfs-tools/root/.ssh/id_rsa.pub
-
-To add the public key to the authorized_keys file:
-
-# cat /etc/initramfs-tools/root/.ssh/id_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys
-
-In case you want some interface to get configured using dhcp, setting DEVICE= in
-/etc/initramfs-tools/initramfs.conf should be sufficient. The initramfs should
-also honour the ip= kernel parameter.
-In case you use grub, you probably might want to set it in /boot/grub/menu.lst,
-either in the '# kopt=' line or appended to specific 'kernel' line(s).
-The ip= kernel parameter is documented in Documentation/nfsroot.txt in the
-kernel source tree.
-
-
-Issues
-------
-
-Don't forget to run update-initramfs when you changed the config to make it
-effective!
-
-Collecting enough entropy for the ssh daemon sometimes seems to be an issue.
-Startup of the ssh daemon might be delayed until enough entropy has been
-retrieved. This is non-blocking for the startup process, so when you are at the
-console you won't have to wait for the sshd to complete its startup.
-
-
-Unlocking procedure
--------------------
-
-To unlock from remote, you could do something like this:
-
-# ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" \
- -i "~/id_rsa.initramfs" r...@initramfshost.example.com \
- "echo -ne \"secret\" >/lib/cryptsetup/passfifo"
-
-This example assumes that you have an extra known_hosts file
-"~/.ssh/known_hosts.initramfs" which holds the cryptroot system's host-key,
-that you have a file "~/id_rsa.initramfs" which holds the authorized-key for
-the cryptroot system, that the cryptroot system's name is
-"initramfshost.example.com", and that the cryptroot passphrase is "secret"
-
--- <deb...@x.ray.net>, Wed, 30 Sep 2009
diff --git a/debian/cryptsetup.docs b/debian/cryptsetup.docs
index be68445..7a27612 100644
--- a/debian/cryptsetup.docs
+++ b/debian/cryptsetup.docs
@@ -4,6 +4,5 @@ docs/*ReleaseNotes
debian/README.keyctl
debian/README.gnupg
debian/README.initramfs
-debian/README.remote
debian/README.openct
debian/README.opensc
--
2.6.2
signature.asc
Description: PGP signature
