Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • 17-add-latest-dropbear-with-openssh-host-key-format-support
  • 14-add-dns-name-resolving-to-initrd
  • 13-update-portal-eclips-is-ip-address
4 results
History
Arie Peterson's avatar
Merge branch '17-add-latest-dropbear-with-openssh-host-key-format-support' into 'master'
Arie Peterson authored 
Add latest dropbear 2022.82 binaries to initrd

Closes #17

See merge request !12
3f3970b6
Name Last commit Last update
crypt-initrd-extra-files
cryptops @ f38021d3
.gitignore
.gitmodules
README.md
build.sh
README.md

CryptOps-enabled Initrd

This repository contains files that need to be added or changed in a "vanilla" initrd in order to be able to use the CryptOps toolkit to set up an encrypted VPS. CryptOps is included as a subrepository, to be able to track the changes to the API with the changes of this initrd. Use the build.sh script to copy the CryptOps api and client binaries to the correct location in the initrd before building it.

More information can be found on the documentation website

VPS setup

Some variables need to be passed to the initrd with kernel options. They are retrieved from /proc/cmdline. Here's the official documentation.

  • root=/dev/mapper/xvda1_crypt: The partition that needs to be mounted as root
  • cryptroot=/dev/xvda: The device that needs to be partitioned and encrypted
  • ip=213.108.110.71::213.108.110.126:255.255.255.128:encrypted-system:eth0:off IP information: ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>

Startup Notification

Some extra variables are used in Greenhost's case to be able to use the Cosmos Service Centre API to send a message to the owner of a VPS after it has been restarted. These variables are used in /scripts/local-top/cryptroot-api to make $notification_command.

If you don't run on Greenhost infrastructure, change that variable to something else to notify you of a (re)boot.

If you do not have a notification_command, CryptOps will work fine, but when your VPS reboots, you run the risk of not knowing this and your VPS will stay in the initrd, waiting for you to unlock the disk.

  • api_key=<key>: The Bearer authentication key for using the Cosmos API
  • instance_id=###: The unique identifier of the VPS
  • cosmos_url=https://management.greenhost.nl: The URL to the Cosmos API

A VPS is assumed to have one drive that needs to be encrypted (additional drives can be encrypted manually from the booted operating system). The drive will be partitioned into an encrypted root partition (in this example xvda1_crypt) and a not encrypted data partition. The latter is used to save SSH keys, so the user can log into the SSH shell running in the initrd.

File structure

The folder crypt-initrd-extra-files contains all the files that need to be inserted in the root directory of an initrd to make CryptOps work. Some things stand out:

  • The folder contains some symlinks pointing to a nonexistent directory conf/persistent/ (for example the home_root file). The persistent file system is mounted in this directory by scripts/init-premount/mount_persistent_config