Hi everyone,
I am quite new to OpenSuse and like it very much till now. I choose an encrypted install of Tumbleweed with an unencrypted root partition.
I am looking to be able to remote unlock the server after I send a WOL signal to it. On Ubuntu and similar Distributions one used Dropbear or Dropbear-Initramfs. I am however not familiar with OpenSuses boot process yet. Can you please help me in the right direction what I need to do to reach my goal here.
Thanks in advance!
I’m not familiar with that way of doing things.
In the past, I have used crypto on a server. I left the root partition unencrypted. I used randomly encrypted swap, which is an install option for openSUSE. And I used an “ecryptfs” encrypted home directory.
The result was that the server could be booted unattended. But sensitive data was kept in that encrypted home directory and decrypted only on login.
Instead of posting link to German blog in English forum you should have explained what functionality you need or expect. Dropbear provides both SSH server and client. From your description it is unclear what you actually need nor how you use it.
What I want to achieve is that my root partition is encrypted and instead of only being able to provide the password via keyboard during boot I want to be able to remote in via SSH, provide the password, and let the boot process proceed.
I figure with dracut being used by Suse the following should be what I am looking for: https://github.com/gsauthof/dracut-sshd
I however have trouble setting this up on Tumbleweed as the package mentioned on the site “dracut-network” does not seem to exist on Suse. I am having trouble figuring out what kind of network connectivity and packages are included in Suse and with that the ‘dracut -f -v’ command mentions that ‘systemd-networkd’ will not be installed.
What would be the correct way here to set this up?
Upstream dracut has network-wicked, network-manager, network-legacy and systemd-networkd and all of them are available in Tumbleweed. There is no need to install any extra package. Nor is systemd-networkd mandatory, you can use any from the list. Default is network-wicked (on openSUSE) if you include network module (which provides some generic framework). Normally network module is automatically added as dependency in such cases as NFS root, iSCSI boot etc.
and with that the ‘dracut -f -v’ command mentions that ‘systemd-networkd’ will not be installed.
dracut does not “mention” - it should print the reason why module will not be installed. Also, dracut does not attempt to install systemd-networkd module by default. You need to describe what you did and provide full dracut output. Never describe what you have seen - copy and paste actual command and its full output.
The simplest way to include systemd-networkd into initrd is (beware quotes and whitespaces)
echo 'add_dracutmodules+=" systemd-networkd "' > /etc/dracut.conf.d/add-systemd-networkd.conf
I followed the instructions on the Github page:
$ cat /etc/systemd/network/20-wired.network
[Match]
Name=e*
[Network]
DHCP=ipv4
and also
# cat /etc/dracut.conf.d/90-networkd.conf
install_items+=" /etc/systemd/network/20-wired.network "
add_dracutmodules+=" systemd-networkd "
**
sudo dracut -f -v **results in:
dracut: Executing: /usr/bin/dracut -f -v
dracut: dracut module 'systemd-coredump' will not be installed, because command 'coredumpctl' could not be found!
dracut: dracut module 'systemd-coredump' will not be installed, because command '/usr/lib/systemd/systemd-coredump' could not be found!
dracut: dracut module 'systemd-networkd' will not be installed, because command 'networkctl' could not be found!
dracut: dracut module 'systemd-networkd' will not be installed, because command '/usr/lib/systemd/systemd-networkd' could not be found!
dracut: dracut module 'systemd-networkd' will not be installed, because command '/usr/lib/systemd/systemd-network-generator' could not be found!
dracut: dracut module 'systemd-networkd' will not be installed, because command '/usr/lib/systemd/systemd-networkd-wait-online' could not be found!
dracut: dracut module 'systemd-repart' will not be installed, because command 'systemd-repart' could not be found!
dracut: dracut module 'systemd-resolved' will not be installed, because command 'resolvectl' could not be found!
dracut: dracut module 'systemd-resolved' will not be installed, because command '/usr/lib/systemd/systemd-resolved' could not be found!
dracut: zfsexpandknowledge: host device /dev/dm-1
dracut: zfsexpandknowledge: host device /dev/mapper/vg-root
dracut: zfsexpandknowledge: host device /dev/nvme0n1p2
dracut: zfsexpandknowledge: host device /dev/nvme0n1p1
dracut: zfsexpandknowledge: host device /dev/dm-2
dracut: zfsexpandknowledge: device /dev/nvme0n1p1 of type vfat
dracut: zfsexpandknowledge: device /dev/nvme0n1p3 of type crypto_LUKS
dracut: zfsexpandknowledge: device /dev/nvme0n1p2 of type btrfs
dracut: zfsexpandknowledge: device /dev/dm-2 of type swap
dracut: zfsexpandknowledge: device /dev/dm-0 of type LVM2_member
dracut: zfsexpandknowledge: device /dev/dm-1 of type btrfs
dracut: dracut module 'dbus-broker' will not be installed, because command 'dbus-broker' could not be found!
dracut: dracut module 'rngd' will not be installed, because command 'rngd' could not be found!
dracut: 62bluetooth: Could not find any command of '/usr/lib/bluetooth/bluetoothd /usr/libexec/bluetooth/bluetoothd'!
dracut: dracut module 'tpm2-tss' will not be installed, because command 'tpm2' could not be found!
dracut: dracut module 'biosdevname' will not be installed, because command 'biosdevname' could not be found!
dracut: dracut module 'memstrack' will not be installed, because command 'memstrack' could not be found!
dracut: memstrack is not available
dracut: If you need to use rd.memdebug>=4, please install memstrack and procps-ng
dracut: dracut module 'squash' will not be installed, because command 'mksquashfs' could not be found!
dracut: dracut module 'squash' will not be installed, because command 'unsquashfs' could not be found!
dracut: dracut module 'systemd-networkd' cannot be found or installed.
I hope this helps to clarify where I am stuck. Apart from that it is a pretty fresh ‘server’ install of Tumbleweed with an unencrypted /boot/efi partition and an unencrypted btrfs /boot partition.
Install systemd-network. I probably installed it manually in the past and forgot about it.
Thank you it is working now. Also thank you for the little hand holding. OpenSUSE is quite different from the distributions I am used to. In this case I was getting confused by all the errors and messages dracut -v -f was generating. I have it working now!
Probably a bit too late, but for others searching for a solution, you can use this repository: Show home:chkpnt:full-disk-encryption - openSUSE Build Service
For the setup, see the description in the project.
The package dracut-ssh-unlock isn’t by myself. The original author, pavlk, removed the package and it’s GitLab repository, as it stopped working for him after upgrading to 15.2. But for me, it’s still working. Yesterday, I did a clean install on one and an upgrade to 15.4 on an other machine.