DIPLOMATIC BAGS MI6 REMOTE SCANNER

Remote unlocking of the root (or other) partition

If you want to be able to reboot a fully LUKS-encrypted system remotely, or start it with a Wake-on-LAN service, you will need a way to enter a passphrase for the root partition/volume at startup. This can be achieved by running a mkinitcpio hook that configures a network interface. Some packages listed below contribute various mkinitcpio build hooks to ease with the configuration.

Note:

• Keep in mind to use kernel device names for the network interface (e.g. eth0) and not udev's ones (e.g. enp1s0), as those will not work.
• It could be necessary to add the module for your network card to the MODULES array.

Remote unlocking (hooks: systemd, systemd-tool)

AUR package mkinitcpio-systemd-tool^AUR provides a systemd-centric mkinitcpio hook named systemd-tool with the following set of features for systemd in initramfs:

Core features provided by the hook: unified systemd + mkinitcpio configuration automatic provisioning of binary and config resources on-demand invocation of mkinitcpio scripts and in-line functions

Features provided by the included service units: initrd debugging early network setup interactive user shell remote ssh access in initrd cryptsetup + custom password agent

The mkinitcpio-systemd-tool^AUR package requires the systemd hook. For more information be sure to read the project's README as well as the provided default systemd service unit files to get you started.

The recommended hooks are: base autodetect modconf block filesystems keyboard fsck systemd systemd-tool.

Remote unlocking (hooks: netconf, dropbear, tinyssh, ppp)

Another package combination providing remote logins to the initcpio is mkinitcpio-netconf^AUR and/or mkinitcpio-ppp^AUR (for remote unlocking using a PPP connection over the internet) along with an SSHserver. You have the option of using either mkinitcpio-dropbear^AUR or mkinitcpio-tinyssh^AUR. Those hooks do not install any shell, so you also need to install the mkinitcpio-utils^AUR package. The instructions below can be used in any combination of the packages above. When there are different paths, it will be noted.

1. If you do not have an SSH key pair yet, generate one on the client system (the one which will be used to unlock the remote machine). If your choose to use mkinitcpio-tinyssh^AUR, you have the option of using Ed25519 keys.
2. Insert your SSH public key (i.e. the one you usually put onto hosts so that you can ssh in without a password, or the one you just created and which ends with .pub) into the remote machine's /etc/dropbear/root_key or /etc/tinyssh/root_key file.
   Tip: This method can later be used to add other SSH public keys as needed; In the case of simply copying the content of the remote's ~/.ssh/authorized_keys, be sure to verify that it only contains keys you intend to be using to unlock the remote machine. When adding additional keys, regenerate your initrd as well using mkinitcpio. See also Secure Shell#Protection.
3. Add the  encryptssh hooks before filesystems within the "HOOKS" array in /etc/mkinitcpio.conf (the encryptssh replaces the encrypt hook). Then rebuild the initramfs image.
   Note: The net hook provided by mkinitcpio-nfs-utils is not needed.
4. Configure the required cryptdevice= parameter and add the ip= kernel command parameter to your bootloader configuration with the appropriate arguments. For example, if the DHCP server does not attribute a static IP to your remote system, making it difficult to access via SSH accross reboots, you can explicitly state the IP you want to be using:

   ip=192.168.1.1:::::eth0:none

   Note: As of version 0.0.4 of mkinitcpio-netconf^AUR, you can nest multiple ip= parameters in order to configure multiple interfaces. You cannot mix it with ip=dhcp (ip=:::::eth0:dhcp) alone. An interface needs to be specified.

   ip=ip=192.168.1.1:::::eth0:none:ip=172.16.1.1:::::eth1:none

   For a detailed description have a look at the according mkinitcpio section. When finished, update the configuration of your bootloader.
5. Finally, restart the remote system and try to ssh to it, explicitly stating the "root" username (even if the root account is disabled on the machine, this root user is used only in the initrd for the purpose of unlocking the remote system). If you are using the mkinitcpio-dropbear^AUR package and you also have the openssh package installed, then you most probably will not get any warnings before logging in, because it convert and use the same host keys openssh uses. (Except Ed25519 keys, dropbear does not support them). In case you are using mkinitcpio-tinyssh^AUR, you have the option of installing tinyssh-convert^AUR or tinyssh-convert-git^AUR so you can use the same keys as your openssh installation (currently only Ed25519 keys). In either case, you should have run the ssh daemon at least once, using the provided systemd units, so the keys can be generated first. After rebooting the machine, you should be prompted for the passphrase to unlock the root device. Afterwards, the system will complete its boot process and you can ssh to it as you normally would (with the remote user of your choice).

Tip: If you would simply like a nice solution to mount other encrypted partitions (such as /home) remotely, you may want to look at this forum thread.

Remote unlock via wifi (hooks: build your own)

The net hook is normally used with an ethernet connection. In case you want to setup a computer with wireless only, and unlock it via wifi, you can create a custom hook to connect to a wifi network before the net hook is run.

Below example shows a setup using a usb wifi adapter, connecting to a wifi network protected with WPA2-PSK. In case you use for example WEP or another boot loader, you might need to change some things.

1. Modify /etc/mkinitcpio.conf:
   • Add the needed kernel module for your specific wifi adatper.
   • Include the wpa_passphrase and wpa_supplicant binaries.
   • Add a hook wifi (or a name of your choice, this is the custom hook that will be created) before the net hook.

     MODULES="module"
     BINARIES="wpa_passphrase wpa_supplicant"
     HOOKS="base udev autodetect ... wifi net ... dropbear encryptssh ..."

2. Create the wifi hook in /etc/initcpio/hooks/wifi:

   run_hook ()
   {
    # sleep a couple of seconds so wlan0 is setup by kernel
    sleep 5
   
    # set wlan0 to up
    ip link set wlan0 up
   
    # assocciate with wifi network
    # 1. save temp config file
    wpa_passphrase "network ESSID" "pass phrase" > /tmp/wifi
   
    # 2. assocciate
    wpa_supplicant -B -D nl80211,wext -i wlan0 -c /tmp/wifi
   
    # sleep a couple of seconds so that wpa_supplicant finishes connecting
    sleep 5
   
    # wlan0 should now be connected and ready to be assigned an ip by the net hook
   }
   
   run_cleanuphook ()
   {
    # kill wpa_supplicant running in the background
    killall wpa_supplicant
   
    # set wlan0 link down
    ip link set wlan0 down
   
    # wlan0 should now be fully disconnected from the wifi network
   }

3. Create the hook installation file in /etc/initcpio/install/wifi:

   build ()
   {
    add_runscript
   }
   help ()
   {
   cat< Enables wifi on boot, for dropbear ssh unlocking of disk.
   HELPEOF
   }

4. Add ip=:::::wlan0:dhcp to the kernel parameters. Remove ip=:::::eth0:dhcp so it does not conflict.
5. Optionally create an additional boot entry with kernel parameter ip=:::::eth0:dhcp.
6. Regenerate the intiramfs image.
7. Update the configuration of your boot loader.

Remember to setup wifi, so you are able to login once the system is fully booted. In case you are unable to connect to the wifi network, try increasing the sleep times a bit.

https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_of_the_root_.28or_other.29_partition