I self-host a server under Arch Linux on which are stored various personal data: documents, photos, music, videos… Its data are fully encrypted, including the main system, to avoid any risk – in case of burglary for example.
However, encrypting the whole system raises a difficulty: a password is needed at every reboot. This means that it is necessary to connect a keyboard and a screen to the server, which is not necessarily practical if it is only intended to be accessed only by SSH.
Above all, this server must remain constantly available: in case of power failure or malfunction, it must be able to be restarted without me necessarily being on site.
The solution is simple: when the password prompt appears, launch a minimal SSH session that allows to enter the password.
This article is directly inspired by the dm-crypt/Specialties page from the Arch Linux wiki, which shows different ways to do this. It assumes that you already have a fully functioning encrypted system.
Packages
We will use mkinitcpio-netconf
, which allows network access during the early boot phase, mkinitcpio-tinyssh
and tinyssh-convert
to initiate SSH access, and mkinitcpio-utils
to get a session:
sudo pacman -Syu mkinitcpio-netconf \
mkinitcpio-tinyssh \
tinyssh-convert \
mkinitcpio-utils
Network
To get network access, it is necessary to pass connection information with the ip
option to the kernel at boot time. My server connects directly with DHCP on the eth0 interface, so I use:
ip=:::::eth0:dhcp
If your router connects without DHCP to a static IP, we can use:
ip=192.168.1.1:::::eth0:none
If you need to connect via wifi, the AUR package mkinitcpio_wifi
: the documentation is detailed here.
Key
To connect at startup, it is necessary to send your public key. TinySSH only accepts Ed25519 or ECDSA keys; I use the first type with ssh-keygen -t ed25519 -a 100
.
This public key must be placed in the /etc/tinyssh/root_key
file.
To use the same key that you already use to SSH into the server, just copy it:
cp ~/.ssh/authorized_keys /etc/tinyssh/root_key
Launching in the boot sequence
Finally, we modify the /etc/mkinitcpio.conf
file to replace encrypt
with netconf tinyssh encryptssh
in the line that starts with HOOKS
.
Finally, we incorporate the changes with sudo mkinitcpio -P
.
Locally
All that remains is to create a simple configuration, locally, to unlock your server. We modify ~/.ssh/config
with:
Host unlock
Hostname domain.tld
User root
IdentityFile ~/.ssh/key
Then, when the machine is waiting for the password at startup, you just have to run ssh unlock
to be able to type the password!