💾 Archived View for sylvaindurand.org › remotely-unlock-an-encrypted-system › index.gmi captured on 2022-04-28 at 17:50:49. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
I self-host a server under Arch Linux on which are stored various personal data: documents, photos, music, videos... Its data are fully encrypted, including the main system, to avoid any risk -- in case of burglary for example.
Arch Linux with full encryption
However, encrypting the whole system raises a difficulty: a password is needed at every reboot. This means that it is necessary to connect a keyboard and a screen to the server, which is not necessarily practical if it is only intended to be accessed only by SSH.
Above all, this server must remain constantly available: in case of power failure or malfunction, it must be able to be restarted without me necessarily being on site.
The solution is simple: when the password prompt appears, launch a minimal SSH session that allows to enter the password.
This article is directly inspired by the dm-crypt/Specialties page from the Arch Linux wiki, which shows different ways to do this. It assumes that you already have a fully functioning encrypted system.
Arch Wiki: dm-crypt/Specialties
We will use `mkinitcpio-netconf`, which allows network access during the early boot phase, `mkinitcpio-tinyssh` and `tinyssh-convert` to initiate SSH access, and `mkinitcpio-utils` to get a session:
sudo pacman -Syu mkinitcpio-netconf \
mkinitcpio-tinyssh \
tinyssh-convert \
mkinitcpio-utils
To get network access, it is necessary to pass connection information with the `ip` option to the kernel at boot time. My server connects directly with DHCP on the eth0 interface, so I use :
ip=:::::eth0:dhcp
If your router connects without DHCP to a static IP, we can use :
ip=192.168.1.1:::::eth0:none
If you need to connect via wifi, the AUR package `mkinitcpio_wifi`: the documentation is detailed here:
Arch Wiki: Remote unlock via wifi.
To connect at startup, it is necessary to send your public key. TinySSH only accepts Ed25519 or ECDSA keys; I use the first type with `ssh-keygen -t ed25519 -a 100`.
This public key must be placed in the `/etc/tinyssh/root_key` file.
To use the same key that you already use to SSH into the server, just copy it:
cp ~/.ssh/authorized_keys /etc/tinyssh/root_key
Finally, we modify the `/etc/mkinitcpio.conf` file to replace `encrypt` with `netconf tinyssh encryptssh` in the line that starts with `HOOKS`.
Finally, we incorporate the changes with `sudo mkinitcpio -P`.
All that remains is to create a simple configuration, locally, to unlock your server. We modify `~/.ssh/config` with :
Host unlock Hostname domain.tld User root IdentityFile ~/.ssh/key
Then, when the machine is waiting for the password at startup, you just have to run `ssh unlock` to be able to type the password!