From eff6a2931349029438394e721e986f3d7e6a1d7d Mon Sep 17 00:00:00 2001 From: "Kevin Veen-Birkenbach [aka. Frantz]" Date: Fri, 17 Apr 2020 19:21:08 +0200 Subject: [PATCH] Optimized --- README.md | 50 ++++++++++++++++++++++++-------------------------- 1 file changed, 24 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 971b848..a6cf8bb 100644 --- a/README.md +++ b/README.md @@ -97,12 +97,11 @@ with ``` HOOKS=(base udev autodetect modconf block mdadm_udev lvm2 netconf dropbear encryptssh filesystems keyboard fsck) ``` - -/etc/initramfs-tools/initramfs.conf anpassen
+> :warning: In the original example the initramfs get modified. Don't know if this is still necessary: +/etc/initramfs-tools/initramfs.conf
Alt: BUSYBOX=auto
Neu: BUSYBOX=y
http://daemons-point.com/blog/2019/10/20/hetzner-verschluesselt/#etcinitramfs-toolsinitramfsconf-anpassen -
### 4. Activate Encryption #### 4.1 @@ -198,22 +197,23 @@ chroot /mnt echo "cryptroot /dev/md1 none luks" >> /etc/crypttab ``` #### 4.15 -rewrite initramfs ***?assume this should be right???*** ```bash mkinitcpio -p linux ``` -Missing **initramfs neu schreiben** **GRUB neu schreiben** + ### 5 -ist das folgende richtig +#### 5.1 +Install grub: ```bash pacman -S grub ``` -Is the following correct? See https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_(hooks:_netconf,_dropbear,_tinyssh,_ppp) +> :warning: I'm not shure if the following is correct. Please check out this [link](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_(hooks:_netconf,_dropbear,_tinyssh,_ppp)) . I appreciate feedback :two_hearts: +#### 5.2 Edit /etc/default/grub and tell the Kernel about the cryptdevice and the mdraid, and netconf that we want dhcp ```bash GRUB_CMDLINE_LINUX="cryptdevice=/dev/md0:root ip=dhcp" ``` - +#### 5.3 ```bash grub-mkconfig -o /boot/grub/grub.cfg ``` @@ -223,23 +223,7 @@ grub-install /dev/sda grub-install /dev/sdb ``` -ssh-keygen -b 4096 -t rsa -m PEM -f /etc/ssh/ssh_host_rsa_key -dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key -* https://github.com/random-archer/mkinitcpio-systemd-tool/issues/21 -* https://github.com/random-archer/mkinitcpio-systemd-tool/issues/17 -* https://bbs.archlinux.org/viewtopic.php?id=250512 - -from point 4 on I have questions: -https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#chkboot - -check this one also out: -* https://blog.simonszu.de/set-up-luks-on-a-physical-hetzner-server-with-debian/ -> specially the part about dropbear configuration and ssh keys - -https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07 - -https://code.trafficking.agency/arch-linux-remote-unlock-root-volume-with-mdraid-and-dmcrypt.html - -#### 4.15 +#### 5.4 ```bash exit umount /mnt/boot /mnt/proc /mnt/sys /mnt/dev @@ -251,10 +235,24 @@ reboot ``` - +### 6. +#### 6.1 +Decrypt server: +```bash +ssh -o UserKnownHostsFile=/dev/null root@your_server_ip +cryptroot-unlock +exit +``` +#### 6.2 +Login to server: +```bash +ssh-keygen -f "$HOME/.ssh/known_hosts" -R your_server_ip +ssh root@your_server_ip +``` ## Sources The code is adapted from the following guides: * http://daemons-point.com/blog/2019/10/20/hetzner-verschluesselt/ * https://www.howtoforge.com/using-the-btrfs-filesystem-with-raid1-with-ubuntu-12.10-on-a-hetzner-server +* https://code.trafficking.agency/arch-linux-remote-unlock-root-volume-with-mdraid-and-dmcrypt.html * https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_(hooks:_netconf,_dropbear,_tinyssh,_ppp)