## - IP definitions in initramfs overwrites /etc/network/interfaces
## -
## - Add the following line to your interface definition
## -
## -    pre-up ip addr flush dev eth0





Luks remote decrypt
===================

## Install packages busybox and dropbear
## -
## - Notice:
## - If package busybox-static is already installed, tha is sufficient.
## - Install only package dropbear in that case.
## -
#apt-get install dropbear busybox
apt-get install dropbear


## - For security reason and if no needed, remove keys from root directory in
## - initramfs (/etc/initramfs-tools/root/.ssh)
## -
rm /etc/initramfs-tools/root/.ssh/id_*

## - Empty /etc/initramfs-tools/root/.ssh/authorized_keys
## -
> /etc/initramfs-tools/root/.ssh/authorized_keys

## - Add your public key, you wish to early connect, to authorized_keys file
## - /etc/initramfs-tools/root/.ssh/authorized_keys
## -
vim /etc/initramfs-tools/root/.ssh/authorized_keys


## - Create initramfs script for unlocking the key
## -
cat << END > /etc/initramfs-tools/hooks/unlock_cryptkey_via_ssh.sh
#!/bin/sh

PREREQ="dropbear"

prereqs() {
    echo "\$PREREQ"
}

case "\$1" in
    prereqs)
        prereqs
        exit 0
    ;;
esac

. "\$CONFDIR/initramfs.conf"
#. /usr/share/initramfs-tools/hook-functions

if [ "\$DROPBEAR" != "n" ] && [ -r "/etc/crypttab" ] ; then
    # fix for dropbear in Ubuntu 12.04 x86_64
    [ -d /lib/x86_64-linux-gnu ] && cp -p /lib/x86_64-linux-gnu/libnss_* "\$DESTDIR/lib/"

    mkdir -m 755 -p "\$DESTDIR/lib/unlock"

##### /bin/unlock
cat > "\${DESTDIR}/bin/unlock" <<EOF
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot ; then
    for n in cryptroot "plymouth ask-for-pass" cryptsetup ; do
        p=\\\$(ps w | grep "\\\$n" | awk '\\\$5 != "grep" {print \\\$1}')
        [ -n "\\\$p" ] && kill \\\$p
    done
    exit 0
fi
exit 1
EOF
##### EOF /bin/unlock

##### /lib/unlock/plymouth
cat > "\$DESTDIR/lib/unlock/plymouth" <<-EOF
#!/bin/sh
[ "\\\$1" == "--ping" ] && exit 1
exec /bin/plymouth "\\\$@"
EOF
##### EOF /lib/unlock/plymouth

    chmod 755 "\$DESTDIR/bin/unlock"
    chmod 755 "\$DESTDIR/lib/unlock/plymouth"

    # enable password login
    [ -n "\$SSHUSERPASS" ] &&
    touch "\$DESTDIR/etc/shadow" && chmod 640 "\$DESTDIR/etc/shadow" &&
    getent shadow "\$SSHUSERPASS" | sed -n "s/^\$SSHUSERPASS:/root:/p" /etc/shadow >> "\$DESTDIR/etc/shadow"

    sed -i'' 's|^\(root:.*\):[^:]*$|\1:/bin/sh|' "\$DESTDIR/etc/passwd"
fi
END

chmod 755 /etc/initramfs-tools/hooks/unlock_cryptkey_via_ssh.sh

## - Make changes persistent to initramfs
## -
update-initramfs -u -k all


## - Now you can connect to dropbear shell with your added key, for example
## -
## - Connect:
## -    ssh -i ~/.ssh/dropbear/id_rsa_initram -o UserKnownHostsFile=.ssh/dropbear/known_hosts root@192.168.63.90
## -
## - Enter your passphrase:
## -    Enter passphrase for key '/home/chris/.ssh/dropbear/id_rsa_initram': ******************
## -
## - Unlock key, type:
## -    unlock
## -
## - Enter pasphrase for cryptodevice
## -    Enter passphrase:
## -