I self-host a server under Arch Linux on which are stored various personal data: documents, photos, music, videos… Its data are fully encrypted, including the main system, to avoid any risk – in case of burglary for example.
However, encrypting the whole system raises a difficulty: a password is needed at every reboot. This means that it is necessary to connect a keyboard and a screen to the server, which is not necessarily practical if it is only intended to be accessed only by SSH.
Above all, this server must remain constantly available: in case of power failure or malfunction, it must be able to be restarted without me necessarily being on site.
The solution is simple: when the password prompt appears, launch a minimal SSH session that allows to enter the password.
This article is directly inspired by the dm-crypt/Specialties page from the Arch Linux wiki, which shows different ways to do this. It assumes that you already have a fully functioning encrypted system.
We will use
mkinitcpio-netconf, which allows network access during the early boot phase,
tinyssh-convert to initiate SSH access, and
mkinitcpio-utils to get a session:
sudo pacman -Syu mkinitcpio-netconf \ mkinitcpio-tinyssh \ tinyssh-convert \ mkinitcpio-utils
To get network access, it is necessary to pass connection information with the
ip option to the kernel at boot time. My server connects directly with DHCP on the eth0 interface, so I use:
If your router connects without DHCP to a static IP, we can use:
If you need to connect via wifi, the AUR package
mkinitcpio_wifi: the documentation is detailed here.
To connect at startup, it is necessary to send your public key. TinySSH only accepts Ed25519 or ECDSA keys; I use the first type with
ssh-keygen -t ed25519 -a 100.
This public key must be placed in the
To use the same key that you already use to SSH into the server, just copy it:
cp ~/.ssh/authorized_keys /etc/tinyssh/root_key
Launching in the boot sequence
Finally, we modify the
/etc/mkinitcpio.conf file to replace
netconf tinyssh encryptssh in the line that starts with
Finally, we incorporate the changes with
sudo mkinitcpio -P.
All that remains is to create a simple configuration, locally, to unlock your server. We modify
Host unlock Hostname domain.tld User root IdentityFile ~/.ssh/key
Then, when the machine is waiting for the password at startup, you just have to run
ssh unlock to be able to type the password!