Create encrypted Zpool
zpool create -o ashift=12 storage raidz2 /dev/sda /dev/sdb /dev/sdc zpool set feature@encryption=enabled storage zfs create -o encryption=on -o keyformat=raw -o keylocation=file:///root/storage-data.zfskey storage/data
sudo cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda1 sudo cryptsetup open --type luks /dev/sda1 backup sudo mkfs.ext4 /dev/mapper/backup sudo mount -t ext4 /dev/mapper/backup /mnt/backup sudo umount /mnt/backup
You can unlock your rootfs on bootup from remote, using ssh to log in to the booting system while it's running with the initramfs mounted.
For remote unlocking to work, the following packages have to be installed before building the initramfs:
/etc/initramfs-tools/initramfs.conf holds the configuration options used when building the initramfs. It should contain
BUSYBOX=y (this is set as the default when the busybox package is installed) to have busybox installed into the initramfs, and should not contain DROPBEAR=n, which would disable installation of dropbear to initramfs. If set to DROPBEAR=y, dropbear will be installed in any case; if DROPBEAR isn't set at all, then dropbear will only be installed in case of an existing cryptroot setup.
The process of entering the passphrase at boot time will now be automated using an USB memory stick. Instead of using a passphrase , the secret key on the USB will decrypt the encrypted volumes. Connect an USB stick to the VM and locate it using the
dmesg command. It is detected as
/dev/sdb in my VM.
The secret key of 8192 random byte is extracted from the usb stick using the dd command.
dd if=/dev/sdb of=/root/secret.key bs=512 skip=4 count=16
|# slack (slack.com) global notification options|
|# multiple recipients can be given like this:|
|# "CHANNEL1 CHANNEL2 ..."|
|# enable/disable sending slack notifications|
|# Login to slack.com and create an incoming webhook. You need only one for all|
|# awcli needs to be installed with valid credentials and should be in PATH e.g. /home/USER/.local/bin|
|# ddns-route53 needs to be installed and should be in PATH e.g. /home/USER/.local/bin|
|# Add to crontab|
|*/5 * * * * PATH=$PATH:/home/USER/.local/bin /home/USER/.local/bin/ddns-route53 --zone-id XXXXXXXX --record-set www.example.com >> /home/USER/ddns-route53.log 2>&1|
If you wish to run an alternative SSH agent (e.g. ssh-agent or gpg-agent, you need to disable the ssh component of GNOME Keyring. To do so in an account-local way, copy /etc/xdg/autostart/gnome-keyring-ssh.desktop to ~/.config/autostart and then append the line Hidden=true to the copied file. Then log out.
I hereby claim:
To claim this, I am signing this object: