Results 1 to 6 of 6

Thread: Remote unlocking encrypted disk problems

  1. #1

    Question Remote unlocking encrypted disk problems

    I'm trying to use dracut-sshd to allow me to unlock the encrypted root partition on boot. My /boot partition is unencrypted.

    I've followed the instructions from the dracut-sshd github page to insert the sshd module, however it seems like the network is not brought up until after the password is entered so I'm unable to SSH into the machine to enter the password.

    I've tried using rd.neednet=1 and ip=auto, and also the suggested networkd option but neither seems to work. Do I need to somehow get wicked to load at boot time?

    Any help would be appreciated!

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    30,988

    Default Re: Remote unlocking encrypted disk problems

    Quote Originally Posted by endeavour View Post
    I've followed the instructions from the dracut-sshd github page to insert the sshd module, however it seems like the network is not brought up until after the password is entered so I'm unable to SSH into the machine to enter the password.
    I do not know about that feature, but it is clear to me that when you want to connect to an ssh deamon, that system must be connected to the network, else communication is impossible. And of course, as long as your root partition is not mounted (and thus decrypted), normal networking by the system is impossible. Thus for this special connection to dracut, dracut should use some NIC, providing an IP address, etc, (maybe using DHCP) and then start the listening sshd. All by itself. I assume that the relevant documentation should tell you how dracut starts networking and how to configure it (which NIC if there are more on the system, DHCP or fixed IP address, etc.).

    At least you could provide a direct link to the documentation you found, so people can easily read what you have read.
    Last edited by hcvv; 23-May-2022 at 06:35.
    Henk van Velden

  3. #3
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    30,988

    Default Re: Remote unlocking encrypted disk problems

    Instead of waiting until you provide the information, I tried using Google and found https://github.com/dracut-crypt-ssh/dracut-crypt-ssh

    You say you used ip=auto, but I see nowgere a mentioning of auto as a possibility. It says either IP=<IP-address><and more> or ip =dhcp..
    Last edited by hcvv; 23-May-2022 at 06:48.
    Henk van Velden

  4. #4
    Join Date
    Sep 2012
    Posts
    7,877

    Default Re: Remote unlocking encrypted disk problems

    That's not dracut-sshd
    I see nowgere a mentioning of auto as a possibility
    ip= parameter is parsed by backend-specific implementation. It is supported if NetworkManager is used in dracut. It is not supported by legacy (native) dracut networking module or systemd-networkd. Not sure about wicked.

    Options mentioned in dracut.cmdline should be supported by all implementations, but e.g. wicked was known to fail miserably with auto-configuration. Do not know if this was ever fixed.

  5. #5
    Join Date
    Sep 2012
    Posts
    7,877

    Default Re: Remote unlocking encrypted disk problems

    Quote Originally Posted by endeavour View Post
    the network is not brought up until after the password is entered
    Where is the password entered - in dracut? In booted system? Where is the network brought up - in dracut? In booted system?

    I've tried using rd.neednet=1 and ip=auto
    As already mentioned, ip=auto is not universally supported, better is "ip=on" on "ip=dhcp" if you have DHCP server to assign addresses. Or specify IP address explicitly.

    rd.neednet is evaluated at runtime and so does nothing unless network support is included in initrd. dracut-sshd itself does not define any dependencies so unless you told dracut to include necessary modules generated initrd won't have any networking support. You have not described what you did (and "I followed the guide" is pretty poor description). Does your initrd include networking support at all?

  6. #6

    Default Re: Remote unlocking encrypted disk problems

    These were the instructions I was following: https://github.com/gsauthof/dracut-sshd

    I got rid of the rd.neednet and ip=dhcp (or auto, neither worked) line and used the networkd suggestion in the above docs. This kind-of works but results in my interface ending up with two IP addresses. It gets one IP assigned on boot to allow the password to be entered but when the OS boots it then gets *another* IP... it seems like network manager cannot appropriate the network interface brought up by dracut.

    2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:8e:7b:68 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.135/24 metric 1024 brd 10.0.1.255 scope global dynamic enp0s3
    valid_lft 79335sec preferred_lft 79335sec
    inet 10.0.1.134/24 brd 10.0.1.255 scope global secondary dynamic noprefixroute enp0s3
    valid_lft 86241sec preferred_lft 86241sec

    The other problem is that by having a separate boot partition I now lose btrfs-grub snapshots. I suppose this isn't really solvable so I am looking into self-encrypting disks as an alternative.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •