This is my first time posting here. I was wondering what is the currently recommended method to implement remote unlock of LUKS through SSH at boot on openSUSE Leap 15.6.
However, I tried the package and couldn’t get it to work for some reason (I can’t ping the machine when it’s at the LUKS unlock prompt when booting). Unfortunately, I don’t have Linux proficiency to successfully troubleshoot this yet.
If no one has any suggestions, I may have to try to adapt instructions I had used in the past to manually implement this for Debian, translating it to fit the Leap environment.
I am not sure about that, but still would suggest an alternative.
Would it be an option to not use full disk encryption and just encrypt your user’s home folder or partition? That way, your system and SSH server could boot first.
Note: Encrypting only the home partition is not as secure as using full disk encryption.
Let me please point out that one should not use home: repos. These repos are the place where packagers do their testing, where they break things. Using such repos can, and at some point will, break your system.
Thanks, I had considered leaving a slightly larger portion of the system unencrypted so that it could boot without intervention, but I was trying this approach first because it seemed like a nice technical challenge to get more practice and learn more about Linux. I would also need to understand exactly what the risks would be of leaving, for instance, the boot partition unencrypted. Maybe I’m too paranoid.
Thanks, I had read a little bit about the risks of using those repos and whether or not to do it. I think I decided to give it a try in case it worked, but I guess it didn’t. I will probably go back to the drawing board and do it manually.
Thanks again. I don’t know if it being from 2022 makes it not relevant anymore. The thread may still contain useful information for my purposes. However, I agree that the upstream project seems dead considering it doesn’t seem to work anymore.
I would still be curious to hear if anyone has a better solution for implementing this on Leap. If not, I will try the approach of translating the instructions for Debian that have worked for me in the past.
That is not what you said originally. To reiterate:
which sounded like you wanted a turnkey solution, not a guidance how to troubleshoot and solve your problem.
If you want to learn, the obvious first question is - is networking active in initrd? Read man dracut.cmdline, search for rd.break, interrupt boot to get shell and look around.
Whether you will be using dropbear or openssh or any other SSH server does not really matter. You can use any program you are familiar with. And of course it is better to use what is available in the distribution by default simply to avoid horror story replies.
But I am pretty sure that your problem is that initrd does not have any networking by default. Which the topic you mentioned should have made pretty clear and it also provided example how to add networking support.
I’m not afraid of tinkering and the learning that comes with that process, but I also have to consider how much time I have available to do that against how soon I’m trying to get things working.
I’ve already spent a few days this week trying to get samba working in a (pre-built) podman container, so it would have been a time-saver to find a turnkey solution. In the absence of that, I will definitely tinker. Thanks for the pointers of where to look for more information!
The samba/podman issue is higher priority for me, so I will probably go back to that first before pursuing this remote unlock functionality.
