Last active
February 11, 2020 13:20
-
-
Save Zellius/6babc84ea5882337480a2d3ce12af770 to your computer and use it in GitHub Desktop.
Dummy bash script for DietPi with USB ethernet adapter. Preconfig OS to allow remote LUKS unlocking over dropbear.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/ | |
#https://www.kali.org/tutorials/secure-kali-pi-2018/ | |
#-k public ssh key | |
#-p dropbear initramfs port | |
DROPBEAR_OPTIONS='-s -j -k' | |
while getopts ":k:p:" opt; do | |
case $opt in | |
k) AUTH_KEY="$OPTARG" | |
;; | |
p) DROPBEAR_OPTIONS+=" -p $OPTARG" | |
;; | |
\?) echo "Invalid option -$OPTARG" >&2 | |
exit 1 | |
;; | |
esac | |
done | |
INITRAMFS_NAME='initramfs.gz' | |
NETWORK_DEVICE='eth1' | |
apt update && apt --assume-yes full-upgrade | |
#apt install busybox-static | |
apt --assume-yes install dropbear cryptsetup | |
echo "Add $NETWORK_DEVICE interface" | |
cat >/etc/network/interfaces.d/$NETWORK_DEVICE << EOL | |
allow-hotplug $NETWORK_DEVICE | |
iface $NETWORK_DEVICE inet dhcp | |
EOL | |
echo 'Add USB ethernet adapter into initramfs' | |
ethtool -i $NETWORK_DEVICE | grep -o '^driver: .*' | cut -f2- -d ' ' >> /etc/initramfs-tools/modules | |
echo 'Enable BusyBox and Dropbear in Initramf config' | |
cat >/etc/initramfs-tools/conf.d/my << EOL | |
BUSYBOX=y | |
DROPBEAR=y | |
#Optionally you can set DEVICE and IP params | |
#DEVICE=eth0 | |
#IP=:::::eth0:dhcp | |
#IP=192.168.XX.XX::192.168.YY.YY:255.255.255.0::eth0:off | |
EOL | |
echo 'Add needed params into RPI cmdline.txt' | |
sed -i "1s/^/net.ifnames=0 ip=:::::$NETWORK_DEVICE:dhcp /" /boot/cmdline.txt | |
echo 'Add custom initramfs file' | |
cat >>/boot/config.txt << EOL | |
#Custom initramfs file | |
initramfs $INITRAMFS_NAME followkernel | |
EOL | |
if [ -z "$AUTH_KEY" ]; | |
then | |
echo 'You did't provide authorized_key! Don't forget to provide it to deopbear and recreate initramfs!' | |
else | |
echo "no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command=\"/bin/cryptroot-unlock\" $AUTH_KEY" > /etc/dropbear-initramfs/authorized_keys | |
fi | |
echo 'Add dropbear options' | |
echo "DROPBEAR_OPTIONS=\"$DROPBEAR_OPTIONS\"" >> /etc/dropbear-initramfs/config | |
echo 'Make initramfs file' | |
# uname -r - current active kernel | |
# ls /lib/modules - all available kernels | |
mkinitramfs -o /boot/$INITRAMFS_NAME | |
cat << EOL | |
Double check /boot/config.txt it shoud contains initramfs field! | |
Create LUKS partitions: | |
$ cryptsetup luksFormat /dev/sda1 | |
$ cryptsetup luksOpen /dev/sda1 name | |
$ mkfs.ext4 /dev/mapper/name | |
/etc/crypttab: | |
name UUID=XXXXX none luks,initramfs | |
/etc/fstab: | |
/dev/mapper/name /home ext4 defaults,noatime 0 1 | |
Rebuild initramfs (remember to open LUKS partition first!) | |
$ mkinitramfs -o /boot/$INITRAMFS_NAME | |
$ reboot | |
EOL |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment