Initial commit

2026-02-02 00:45:17 +01:00
commit b9d97a76f0
8 changed files with 865 additions and 0 deletions
--- a/remote_decrypt.txt
+++ b/remote_decrypt.txt
@@ -0,0 +1,120 @@
+## - IP definitions in initramfs overwrites /etc/network/interfaces
+## -
+## - Add the following line to your interface definition
+## -
+## -    pre-up ip addr flush dev eth0
+
+
+
+
+
+Luks remote decrypt
+===================
+
+## Install packages busybox and dropbear
+## -
+## - Notice:
+## - If package busybox-static is already installed, tha is sufficient.
+## - Install only package dropbear in that case.
+## -
+#apt-get install dropbear busybox
+apt-get install dropbear
+
+
+## - For security reason and if no needed, remove keys from root directory in
+## - initramfs (/etc/initramfs-tools/root/.ssh)
+## -
+rm /etc/initramfs-tools/root/.ssh/id_*
+
+## - Empty /etc/initramfs-tools/root/.ssh/authorized_keys
+## -
+> /etc/initramfs-tools/root/.ssh/authorized_keys
+
+## - Add your public key, you wish to early connect, to authorized_keys file
+## - /etc/initramfs-tools/root/.ssh/authorized_keys
+## -
+vim /etc/initramfs-tools/root/.ssh/authorized_keys
+
+
+## - Create initramfs script for unlocking the key
+## -
+cat << END > /etc/initramfs-tools/hooks/unlock_cryptkey_via_ssh.sh
+#!/bin/sh
+
+PREREQ="dropbear"
+
+prereqs() {
+    echo "\$PREREQ"
+}
+
+case "\$1" in
+    prereqs)
+        prereqs
+        exit 0
+    ;;
+esac
+
+. "\$CONFDIR/initramfs.conf"
+#. /usr/share/initramfs-tools/hook-functions
+
+if [ "\$DROPBEAR" != "n" ] && [ -r "/etc/crypttab" ] ; then
+    # fix for dropbear in Ubuntu 12.04 x86_64
+    [ -d /lib/x86_64-linux-gnu ] && cp -p /lib/x86_64-linux-gnu/libnss_* "\$DESTDIR/lib/"
+
+    mkdir -m 755 -p "\$DESTDIR/lib/unlock"
+
+##### /bin/unlock
+cat > "\${DESTDIR}/bin/unlock" <<EOF
+#!/bin/sh
+if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot ; then
+    for n in cryptroot "plymouth ask-for-pass" cryptsetup ; do
+        p=\\\$(ps w | grep "\\\$n" | awk '\\\$5 != "grep" {print \\\$1}')
+        [ -n "\\\$p" ] && kill \\\$p
+    done
+    exit 0
+fi
+exit 1
+EOF
+##### EOF /bin/unlock
+
+##### /lib/unlock/plymouth
+cat > "\$DESTDIR/lib/unlock/plymouth" <<-EOF
+#!/bin/sh
+[ "\\\$1" == "--ping" ] && exit 1
+exec /bin/plymouth "\\\$@"
+EOF
+##### EOF /lib/unlock/plymouth
+
+    chmod 755 "\$DESTDIR/bin/unlock"
+    chmod 755 "\$DESTDIR/lib/unlock/plymouth"
+
+    # enable password login
+    [ -n "\$SSHUSERPASS" ] &&
+    touch "\$DESTDIR/etc/shadow" && chmod 640 "\$DESTDIR/etc/shadow" &&
+    getent shadow "\$SSHUSERPASS" | sed -n "s/^\$SSHUSERPASS:/root:/p" /etc/shadow >> "\$DESTDIR/etc/shadow"
+
+    sed -i'' 's|^\(root:.*\):[^:]*$|\1:/bin/sh|' "\$DESTDIR/etc/passwd"
+fi
+END
+
+chmod 755 /etc/initramfs-tools/hooks/unlock_cryptkey_via_ssh.sh
+
+## - Make changes persistent to initramfs
+## -
+update-initramfs -u -k all
+
+
+## - Now you can connect to dropbear shell with your added key, for example
+## -
+## - Connect:
+## -    ssh -i ~/.ssh/dropbear/id_rsa_initram -o UserKnownHostsFile=.ssh/dropbear/known_hosts root@192.168.63.90
+## -
+## - Enter your passphrase:
+## -    Enter passphrase for key '/home/chris/.ssh/dropbear/id_rsa_initram': ******************
+## -
+## - Unlock key, type:
+## -    unlock
+## -
+## - Enter pasphrase for cryptodevice
+## -    Enter passphrase:
+## -