Remote unlocking encrypted disk problems

I’m trying to use dracut-sshd to allow me to unlock the encrypted root partition on boot. My /boot partition is unencrypted.

I’ve followed the instructions from the dracut-sshd github page to insert the sshd module, however it seems like the network is not brought up until after the password is entered so I’m unable to SSH into the machine to enter the password.

I’ve tried using rd.neednet=1 and ip=auto, and also the suggested networkd option but neither seems to work. Do I need to somehow get wicked to load at boot time?

Any help would be appreciated!

I do not know about that feature, but it is clear to me that when you want to connect to an ssh deamon, that system must be connected to the network, else communication is impossible. And of course, as long as your root partition is not mounted (and thus decrypted), normal networking by the system is impossible. Thus for this special connection to dracut, dracut should use some NIC, providing an IP address, etc, (maybe using DHCP) and then start the listening sshd. All by itself. I assume that the relevant documentation should tell you how dracut starts networking and how to configure it (which NIC if there are more on the system, DHCP or fixed IP address, etc.).

At least you could provide a direct link to the documentation you found, so people can easily read what you have read.

Instead of waiting until you provide the information, I tried using Google and found https://github.com/dracut-crypt-ssh/dracut-crypt-ssh

You say you used ip=auto, but I see nowgere a mentioning of auto as a possibility. It says either IP=<IP-address><and more> or ip =dhcp…

That’s not dracut-sshd

I see nowgere a mentioning of auto as a possibility

ip= parameter is parsed by backend-specific implementation. It is supported if NetworkManager is used in dracut. It is not supported by legacy (native) dracut networking module or systemd-networkd. Not sure about wicked.

Options mentioned in dracut.cmdline should be supported by all implementations, but e.g. wicked was known to fail miserably with auto-configuration. Do not know if this was ever fixed.

Where is the password entered - in dracut? In booted system? Where is the network brought up - in dracut? In booted system?

I’ve tried using rd.neednet=1 and ip=auto

As already mentioned, ip=auto is not universally supported, better is “ip=on” on “ip=dhcp” if you have DHCP server to assign addresses. Or specify IP address explicitly.

rd.neednet is evaluated at runtime and so does nothing unless network support is included in initrd. dracut-sshd itself does not define any dependencies so unless you told dracut to include necessary modules generated initrd won’t have any networking support. You have not described what you did (and “I followed the guide” is pretty poor description). Does your initrd include networking support at all?

These were the instructions I was following: https://github.com/gsauthof/dracut-sshd

I got rid of the rd.neednet and ip=dhcp (or auto, neither worked) line and used the networkd suggestion in the above docs. This kind-of works but results in my interface ending up with two IP addresses. It gets one IP assigned on boot to allow the password to be entered but when the OS boots it then gets another IP… it seems like network manager cannot appropriate the network interface brought up by dracut.

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:8e:7b:68 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.135/24 metric 1024 brd 10.0.1.255 scope global dynamic enp0s3
valid_lft 79335sec preferred_lft 79335sec
inet 10.0.1.134/24 brd 10.0.1.255 scope global secondary dynamic noprefixroute enp0s3
valid_lft 86241sec preferred_lft 86241sec

The other problem is that by having a separate boot partition I now lose btrfs-grub snapshots. I suppose this isn’t really solvable so I am looking into self-encrypting disks as an alternative.