Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:chkpnt:full-disk-encryption
Meta
Overview
Repositories
Monitor
Requests
Users
Subprojects
Project Config
Attributes
Signing Keys
Meta
Status
Pulse
Meta Configuration of home:chkpnt:full-disk-encryption
<project name="home:chkpnt:full-disk-encryption"> <title>Unlock FDE via ssh</title> <description># Dropbear configuration It is a good idea to run the pre-boot SSH server on different port and with different SSH keys than your main SSH. This is because the pre-boot server SSH keys are stored unecrypted in the /boot partition. This obviously allows an attack vector (someone could impersonate the login prompt, getting your password), but this is true for all unlock-LUKS-by-SSH by design. To create unique server key, use: dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -s 2048 The pre-boot server will only allow authentication by public key, list of authorized keys is taken from `/root/.ssh/authorized_keys`. You need to add your key to this file. Then you should choose port on which the pre-boot SSH server will listen. You can do this by editing `/etc/dracut-ssh-unlock.conf`. # GRUB2 - enable networking Now, edit your GRUB2 configuration to provide network on boot. This depends on your distribution. For OpenSUSE, edit `/etc/default/grub` and edit `GRUB_CMDLINE_LINUX` to contain `rd.neednet=1 ip=dhcp`, ie: GRUB_CMDLINE_LINUX="rd.neednet=1 ip=dhcp" (you can use static IP instead of DHCP, see `man dracut.cmdline`) And rebuild GRUB2 configuration: grub2-mkconfig --output /boot/grub2/grub.cfg # Dracut - rebuild initramfs Next, you'll need to rebuild initramfs to include our module. dracut -f If you see any problems, do not reboot and fix them first. You can easily disable *dracut-ssh-unlock* by removing the `/etc/dracut.conf.d/42-dracut-ssh-unlock.conf` and rebuilding initramfs again. You'll also need to rebuild initramfs if you make any changes to your configuration (dropbear server key and port). # Usage After reboot, the server console will show unlock screen as usual. You should be able to ping the server and connect with your SSH key on the port you specified (default 2222). You'll get limited shell where you can use the `unlock` command to be prompted for password. After the disks are unlocked, the SSH server on 2222 will terminated and server will proceed with normal boot. </description> <person userid="chkpnt" role="maintainer"/> <repository name="15.5"> <path project="openSUSE:Leap:15.5" repository="standard"/> <arch>x86_64</arch> </repository> <repository name="15.4"> <path project="openSUSE:Leap:15.4" repository="standard"/> <arch>x86_64</arch> </repository> </project>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
