Cryptsetup Remote key support

.gitignore

@@ -17,3 +17,4 @@ data/
 # local package install resources
 pkg/
 *.pkg.tar.xz
+*.pkg.tar.zst

Makefile

@@ -5,11 +5,13 @@ install:
 	install -vDm 644 src/{initrd-nftables,initrd-util-usb-hcd}.conf -t $(DESTDIR)/etc/mkinitcpio-systemd-tool/config
 	install -vDm 644 src/fstab -t $(DESTDIR)/etc/mkinitcpio-systemd-tool/config
 	install -vDm 644 src/crypttab -t $(DESTDIR)/etc/mkinitcpio-systemd-tool/config
+	install -vDm 644 src/remotekey -t $(DESTDIR)/etc/mkinitcpio-systemd-tool/config
 	install -vDm 644 src/initrd-network.network -t $(DESTDIR)/etc/mkinitcpio-systemd-tool/network/
 	install -vDm 755 src/mkinitcpio-hook.sh $(DESTDIR)$(PREFIX)/lib/initcpio/hooks/systemd-tool
 	install -vDm 755 src/mkinitcpio-install.sh $(DESTDIR)$(PREFIX)/lib/initcpio/install/systemd-tool
 	install -vDm 755 src/initrd-build.sh -t $(DESTDIR)$(PREFIX)/lib/mkinitcpio-systemd-tool
 	install -vDm 755 src/initrd-shell.sh -t $(DESTDIR)$(PREFIX)/lib/mkinitcpio-systemd-tool
+	install -vDm 755 src/initrd-remote-key.sh -t $(DESTDIR)$(PREFIX)/lib/mkinitcpio-systemd-tool
 	install -vDm 644 src/*.{path,service,target} -t $(DESTDIR)$(SYSTEMD_SYSTEM_PATH)/systemd/system
 	install -vDm 644 LICENSE.md -t $(DESTDIR)$(PREFIX)/share/licenses/mkinitcpio-systemd-tool
 	install -vDm 644 README.md -t $(DESTDIR)$(PREFIX)/share/doc/mkinitcpio-systemd-tool

PKGBUILD

@@ -20,7 +20,7 @@ url="https://github.com/random-archer/mkinitcpio-systemd-tool"
 license=('Apache')
 depends=('mkinitcpio' 'systemd')
 optdepends=('cryptsetup: for initrd-cryptsetup.service'
-            'dropbear: for initrd-dropbear.service'
+            'dropbear: for initrd-dropbear.service and initrd-cryptsetup-remote-key.service'
             'busybox: for initrd-tinysshd.service'
             'mc: for initrd-debug-progs.service'
             'nftables: for initrd-nftables.service'
@@ -29,6 +29,7 @@ optdepends=('cryptsetup: for initrd-cryptsetup.service'
 conflicts=('mkinitcpio-dropbear' 'mkinitcpio-tinyssh')
 backup=("etc/${pkgname}/config/crypttab"
         "etc/${pkgname}/config/fstab"
+        "etc/${pkgname}/config/remotekey"
         "etc/${pkgname}/config/initrd-nftables.conf"
         "etc/${pkgname}/config/initrd-util-usb-hcd.conf"
         "etc/${pkgname}/network/initrd-network.network" )

src/initrd-build.sh

@@ -90,6 +90,27 @@ do_tinysshd_keys() {
 
 }
 
+# ensure remote key include required systemd-cryptsetup@%i.service.d/override.conf
+do_remote_key() {
+
+    quiet "include required systemd-cryptsetup@%i.service.d/override.conf"
+
+    local system=/etc/systemd/system
+    local service="initrd-cryptsetup-remote-key.service"
+    local cryptdevice=
+
+    for i in $(find $system -type f -name "override.conf" | egrep "^$system/systemd-cryptsetup@.*\.service\.d"); do
+        if egrep -q "^After=$service" $i; then
+            cryptdevice=$(echo "$i" | sed 's|/etc/systemd/system/systemd-cryptsetup@\(.*\)\.service\.d/override.conf|\1|')
+
+            plain "include remote key dependency for $cryptdevice"
+
+            mkdir -p ${BUILDROOT}$(dirname "$i")
+            cp "$i" "${BUILDROOT}$i"
+        fi
+    done
+}
+
 # location of server host keys used by openssh
 keypath_openssh() {
     local type=$1

src/initrd-cryptsetup-remote-key.service

@@ -0,0 +1,46 @@
+# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool
+
+# Trying to "scp" a keyfile set in crypttab
+
+# note:
+# to enable remote key dependency for a specific crypted device,
+# provide system unit overrides with these lines uncommented (replace <crypttab mapper name>):
+#
+# shell unit: /etc/systemd/system/systemd-cryptsetup@<crypttab mapper name>.service.d/override.conf
+#
+# [Unit]
+# After=initrd-cryptsetup-remote-key.service
+# Requires=initrd-cryptsetup-remote-key.service
+#
+# note:
+# configure /etc/mkinitcpio-systemd-tool/config/remotekey with host IP, user and keyfile name
+
+[Unit]
+Description=Initrd Cryptsetup Remote Key
+Documentation=https://github.com/random-archer/mkinitcpio-systemd-tool/blob/master/README.md
+ConditionPathExists=/etc/initrd-release
+ConditionPathExists=/etc/remotekey
+DefaultDependencies=no
+After=systemd-networkd.service
+After=systemd-resolved.service
+Requires=initrd-network.service
+Requires=systemd-networkd.service
+Requires=systemd-resolved.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=/usr/lib/mkinitcpio-systemd-tool/initrd-remote-key.sh
+
+[Install]
+WantedBy=sysinit.target
+
+[X-SystemdTool]
+
+# provision dropbear client
+InitrdBinary=/bin/dbclient
+InitrdPath=/usr/lib/mkinitcpio-systemd-tool/initrd-remote-key.sh mode=700
+InitrdPath=/root/.ssh/id_dropbear
+InitrdPath=/etc/remotekey   source=/etc/mkinitcpio-systemd-tool/config/remotekey   replace=yes
+InitrdBuild=/usr/lib/mkinitcpio-systemd-tool/initrd-build.sh command=do_remote_key
+

src/initrd-remote-key.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/busybox sh
+
+# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool
+
+source /etc/remotekey
+
+for i in $(seq 1 ${REMOTE_KEY_TIMEOUT})
+do
+    if ping -c 1 -W 1 ${REMOTE_KEY_IP} &> /dev/null
+    then
+        dbclient -y ${REMOTE_KEY_USER}@${REMOTE_KEY_IP} "cat ${REMOTE_KEY_FILE}" > /root/${REMOTE_KEY_FILE}
+        chmod 600 /root/${REMOTE_KEY_FILE}
+        exit 0
+    else
+        sleep 1
+    fi
+done
+
+echo "Failed to get ${REMOTE_KEY_FILE}"

src/remotekey

@@ -0,0 +1,13 @@
+# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool
+
+# Host IP with cryptsetup keys
+REMOTE_KEY_IP=
+
+# SSH user on the host
+REMOTE_KEY_USER=keys
+
+# Name of the key file
+REMOTE_KEY_FILE=cryptroot.key
+
+# Timeout (seconds)
+REMOTE_KEY_TIMEOUT=10