-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for installation with full disk encryption #21
Conversation
Thank you! |
@overlordtm I was testing this on a dedicated server from Hetzner and it seems like it doesn't work on those — at least not when software RAID is used. My autosetup file looks like this:
And this is how I ran your version of install image:
The install works until step 5/17 and then show this error message:
When checking the debug.txt file, this seems to be the important part for the error:
I didn't look too much into it yet for lack of time, but I believe the problem happens on line 2000 of the functions.sh file, with the crypt_pv variable. |
Indeed it was never tested with root servers because I do not have a server to spare and I am too much of a cheapskate to spend setup free and monthly fee just to test it. I think error is related to RAID, I was testing it with cloud instances (no raid there). If you still have server to install, I can take a look and try to push some fixes. Probably the error originates from functions.sh:2000, where I try to strip |
@jamesponddotco I have created luks-root branch on my repo. The change is how I name LUKS devices, before I stripped Here is the commit If you still have time to test, please report. |
@overlordtm I ran a quick test and it seems to be working as expected 🎉 Might be worth adding a warning saying that ed25519 keys are not supported, though. Nice work, man! Hope @asciiprod merge this soon :) |
@overlordtm One change I would make, mostly to keep everything easier, is to change authorized_keys and add this:
This will show the cryptsetup password prompt directly, instead of the busybox prompt. |
Thank you for your contribution. However, a feature should ideally be usable across all currently supported distros. Plus there are a number of edge cases (e.g. dropbear only works with keys, but not ed25519). Also functions defined in functions.sh must either be working cross-distro or overloaded with distro-specific ones in their corresponding scripts. In the latter case the one in function.sh must throw an error (in case the distro specific script does not implement the function). I should also mention, that we have (or have tried to) implemented this feature internally some time ago. The approach was a bit different in the details, but in general the same. However, we haven't merged it, for the reasons mentioned above. |
@asciiprod Would it be okay for me, as a customer, to keep a fork using the changes that @overlordtm made? We only run Ubuntu in our servers, so this should be okay — and I made a few modifications to his modifications anyway. The LICENSE doesn't seem to mention a specific license, but it does say it can be used and modified freely — doesn't say anything about distributing it, though, and I would prefer to keep it in a public repository. |
Yes, you can do that. We should probably change that to something well-known license. |
Hey @asciiprod, under official images you are thinking of Ubuntu, Debian, CentOS and OpenSUSE? I submitted PR early, hoping someone else notices it and maybe contribute some ideas and feedback (like key type check ...), it is half finished fork :) I had focus only on Ubuntu, as it is also our distribution of choice, but I believe I can make it work on all 4 distros mentioned before, if there is some interest on your side, otherwise we are perfectly happy with Ubuntu only. But would be nice to have FDE as out of box option at Hetzner. BTW, I tested today changes on cloud instance (Ubuntu 18.04), still works :) |
I'll check if we can merge our generic LUKS code. You could then use a post-install script to install and configure dropbear |
@asciiprod Would it be possible for you to make your generic LUKS branch availalbe for the interessted public ? Beside getting feedback there is a chance to start working on a dropbear post-install :) I've a use case and will test lvm+luks+dropbear in combination with Debian 10.x. |
If have just merged our encryption support. No batteries included (initramfs-dropbear or clevis/tang), but these are easily added via post-install script. |
The official way needs to have a sample post-install script included in the |
There needs to be a more polished way to do this in 2021. GDPR and new data protection laws put a lot of pressure on us to encrypt data at rest. @asciiprod Encryption at rest is the norm at other providers such as AWS and Google Cloud. |
It is not yet finished, but opening PR if you have any feedback, because there is not much information in repository on "how to contribute" :)
PR contains changes needed to create server with encrypted root partition i.e. LVM on LUKS
You can specify
lvm+luks
value filesystem inPART
So far tested on Ubuntu 18.04 image on hCloud VM. If FDE_SSH_UNLOCK is set to 1, dropbear SSH server is started at port 54321 after boot and waits for connections. Password login is disabled, by default all SSH keys set for root user are also copied to dropbear.