[arch-general] mkinitcpio: Rethinking remote unlock via SSH

Karol Babioch karol at babioch.de
Wed Dec 19 18:55:56 EST 2012 

Hi,

so far I was using "dropbear_initrd_encrypt" (see [1]) to unlock a
cryptdevice remotely via SSH, which worked reasonably well. However
since the latest release of mkinitcpio it doesn't work anymore. I could
fix the issues in the meantime, however it got me into thinking that
this could be done even better.

The main problem I have with "dropbear_initrd_encrypt" is that it sort
of mixes the "dropbear" and "encryptssh" hooks. The dropbear daemon for
instance is started in the "dropbear" hook, but killed after
successfully unlocking the cryptdevice in the "encryptssh" hook.
Furthermore the "encryptssh" hook is basically a copy of the "encrypt"
hook with some changes.

Now my idea so far was the following: Start a screen session early
(using "run_earlyhook"). Start dropbear whenever SSH access is needed,
e.g. right before the "encrypt" hook itself using a separate "dropbear"
hook ("run_hook" should be fine). Now the SSH session should be attached
to the screen session, so the input/output will be "shared". After
unlocking (run_cleanuphook) kill the screen session.

I've spent some time on this, but couldn't get it working so far. Now
before spending even more time on it, I would like to know from you what
you think about it and whether or not this can be done. Are there any
obvious issues I'm haven't thought of yet?

Unfortunately I'm not too familiar with screen and every attempt I tried
so far will bring up some form of an interactive screen session with the
welcome screen being shown. This will bring the boot process to a
"halt", where I have to exit the screen session to move on.

I guess in the first step I would just like to have all output from the
boot process within the initramfs shown in a screen session. Has anyone
of you some advice(s) for me?

Using screen has the advantage that the whole output during boot will be
accessible (scrollable) as screen would buffer all of it. This could be
useful in cases the machine won't boot beyond initramfs.

Best regards,
Karol Babioch

[1] https://aur.archlinux.org/packages/dropbear_initrd_encrypt/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20121220/984aefce/attachment.asc>

More information about the arch-general mailing list