Skip to content

Remote Decryption

Being able to remotely decrypt your critical infrastructure is such a gawd sent. You get the ability to power cycle devices for security updates, and not stress about being in front of the rack.

secure shell banner

Remote decryption of your LUKS encrypted disks is a must for me. I enable it with every system including laptops because they often become servers.

I had a fairly straight forward bash script to do this under Ubuntu but as I move to NixOS I needed to solve this as well.

If you want my snippet to install and configure Dropbear for Ubuntu you can see it here.

NixOS

Pay attention to the hostKeys = [ "/root/secrets/ssh_host_rsa_key" ]; You can make this whatever you want as long as your key is located there.

It also took me multiple commits and having this working on multiple systems before realizing NixOS removed the dependency for Dropbear.

{ config, pkgs, lib, ... }:

  let
    vars = import ./vars.nix;
  in
{
###
# Setup Remote Unlocking
###
  # Setup keyfile
  boot.initrd.secrets = {
    "/crypto_keyfile.bin" = null;
  };

  # It may be necessary to wait a bit for devices to be initialized.
  # See: https://github.com/NixOS/nixpkgs/issues/98741
  boot.initrd.preLVMCommands = lib.mkOrder 400 "sleep 1";

  # lspci -v | grep -iA8 'network\|ethernet
  boot.initrd.availableKernelModules = [ "e1000e" ];
  boot.kernelParams = [ "ip=dhcp" ];

  boot.initrd.network.enable = true;
  boot.initrd.network.ssh = {
    enable = true;
    port = vars.remoteDecryptPort;
    shell = "/bin/cryptsetup-askpass";
    authorizedKeys = [ vars.remoteDecryptAuthorizedKeys ];
    hostKeys = [ "/root/.keys/ssh_host_rsa_key" ];
  };
}

Troubleshoot

If you ever get a system that wont seem to configure the hostKey try the following steps.

# Remove/comment any configurations related to boot.initrd.secrets or boot.initrd.network.ssh.hostKeys.
nixos-rebuild switch

# Reboot
nix-collect-garbage -d

# Add the boot.initrd configurations back.
nixos-rebuild switch