Remote Decryption
Being able to remotely decrypt your critical infrastructure is such a gawd sent. You get the ability to power cycle devices for security updates, and not stress about being in front of the rack.
Remote decryption of your LUKS encrypted disks is a must for me. I enable it with every system including laptops because they often become servers.
I had a fairly straight forward bash
script to do this under Ubuntu but as I move to NixOS I needed to solve this as well.
If you want my snippet to install and configure Dropbear for Ubuntu you can see it here.
NixOS
Pay attention to the hostKeys = [ "/root/secrets/ssh_host_rsa_key" ];
You can make this whatever you want as long as your key is located there.
It also took me multiple commits and having this working on multiple systems before realizing NixOS removed the dependency for Dropbear.
{ config, pkgs, lib, ... }:
let
vars = import ./vars.nix;
in
{
###
# Setup Remote Unlocking
###
# Setup keyfile
boot.initrd.secrets = {
"/crypto_keyfile.bin" = null;
};
# It may be necessary to wait a bit for devices to be initialized.
# See: https://github.com/NixOS/nixpkgs/issues/98741
boot.initrd.preLVMCommands = lib.mkOrder 400 "sleep 1";
# lspci -v | grep -iA8 'network\|ethernet
boot.initrd.availableKernelModules = [ "e1000e" ];
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = vars.remoteDecryptPort;
shell = "/bin/cryptsetup-askpass";
authorizedKeys = [ vars.remoteDecryptAuthorizedKeys ];
hostKeys = [ "/root/.keys/ssh_host_rsa_key" ];
};
}
Troubleshoot
If you ever get a system that wont seem to configure the hostKey
try the following steps.
# Remove/comment any configurations related to boot.initrd.secrets or boot.initrd.network.ssh.hostKeys.
nixos-rebuild switch
# Reboot
nix-collect-garbage -d
# Add the boot.initrd configurations back.
nixos-rebuild switch