Skip to main content

Verschlüsselung - big-bunda

1. Server vorbereiten

sudo apt update
sudo apt install dropbear-initramfs -y

ip a:

...
4: enp4s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:1d:48:ef:89:d0 brd ff:ff:ff:ff:ff:ff
    altname enxa01d48ef89d0
    inet 10.100.3.10/16 brd 10.100.255.255 scope global enp4s0f0
       valid_lft forever preferred_lft forever
    inet6 fe80::a21d:48ff:feef:89d0/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
...

nano /etc/initramfs-tools/initramfs.conf:

...
#
# DEVICE: ...
#
# Specify a specific network interface, like eth0
# Overridden by optional ip= or BOOTIF= bootarg
#

#DEVICE=
DEVICE=enp4s0f0
IP=10.100.3.10::10.100.0.1:255.255.0.0::enp4s0f0:off
...

 

2. Keys am Client erzeugen

┌──(jj㉿little-snitch)-[~]
└─$ ssh-keygen -t ed25519 -f ~/.ssh/id_initramfs_unlock__big-bunda -C "Key for big-bunda JSc"
Generating public/private ed25519 key pair.
Enter passphrase for "/home/jj/.ssh/id_initramfs_unlock__big-bunda" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/jj/.ssh/id_initramfs_unlock__big-bunda
Your public key has been saved in /home/jj/.ssh/id_initramfs_unlock__big-bunda.pub
The key fingerprint is:
SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Key for big-bunda JSc

 

3. Keys vom Client in den Server eintragen

Beim Server "nano /etc/dropbear/initramfs/authorized_keys" und dann den Key von dem Client eintragen:

Am Client:

┌──(jj㉿little-snitch)-[~]
└─$ cat ~/.ssh/id_initramfs_unlock__big-bunda.pub 
ssh-ed25519 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Key for big-bunda JSc

Am Server den angezeigten Key in /etc/dropbear/initramfs/authorized_keys einfügen:

root@big-bunda:/home/jj# cat /etc/dropbear/initramfs/authorized_keys 
ssh-ed25519 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Key for big-bunda JSc

 

4. Schnellzugriff am Client erstellen

┌──(jj㉿little-snitch)-[~]
└─$ nano ~/.ssh/config


Host big-bunda-unlock
    HostName 10.100.3.10
    User root
    Port 22
    IdentityFile ~/.ssh/id_initramfs_unlock__big-bunda

┌──(jj㉿little-snitch)-[~]
└─$ ssh big-bunda-unlock
To unlock root partition, and maybe others like swap, run `cryptroot-unlock`.


BusyBox v1.35.0 (Debian 1:1.35.0-4+b3) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # cryptroot-unlock
Please unlock disk sda3_crypt: 
cryptsetup: sda3_crypt set up successfully
~ # Connection to 10.100.3.10 closed by remote host.
Connection to 10.100.3.10 closed.

No Comments
Back to top