stupidpupil / https-keyscript Goto Github PK
View Code? Open in Web Editor NEWAllow a machine with an encrypted boot drive to passwordlessly boot by fetching a key over HTTPS.
License: GNU General Public License v3.0
Allow a machine with an encrypted boot drive to passwordlessly boot by fetching a key over HTTPS.
License: GNU General Public License v3.0
wget and curl are comparable, but curl has I nice option: --dns-servers
, with which you can specify the dns resolvers. With curl you wouldn't have to configure resolv.conf in initramfs anymore.
The booting mechanism is quiet different on systems like the raspberry pis. The correct time isn't yet set, so the ssl certificates of remote https servers will be invalid.
BusyBox v1.30.1 (Raspbian 1:1.30.1-4) built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # /usr/bin/real_wget https://domain.tld
--1970-01-01 00:01:13-- https://domain.tld/
Resolving domain.tld (domain.tld)... 85.195.238.97
Connecting to domain.tld (domain.tld)|85.195.238.97|:443... connected.
ERROR: The certificate of 'domain.tld' is not trusted.
ERROR: The certificate of 'domain.tld' doesn't have a known issuer.
ERROR: The certificate of 'domain.tld' is not yet activated.
The certificate has not yet been activated
Simple workaround is to add an --no-check-certificate
to the wget command in wget_or_ask
. A more sophisticated workaround would be setting the correct time in initramfs.
Using Ubuntu Server 16.04 LTS I got stucked at point 4: Every time I enter the command line "busybox sh..." I get the error "sh: bad number", is there something wrong with the regex-expression inside the script ?
root@ubuntu:~# busybox sh /lib/cryptsetup/scripts/wget_or_ask "mypassword:http://www.my-domain.at/encrypted_keyfile" > unencrypted_keyfile
sh: bad number
Getting passphrase remotely failed for . Enter passphrase: **
Adding parameter -x to sh results in:
root@ubuntu:~# busybox sh -x /lib/cryptsetup/scripts/wget_or_ask "mypassword:http://www.my-domain.at/encrypted_keyfile" > unencrypted_keyfile
+ use_keyring=1
+ use_https=1
+ [ -z ]
+ CRYPTTAB_KEY=mypassword:http://www.my-domain.at/encrypted_keyfile
+ sedRegex=^\(.\+\):\(https:\/\/.\+\)$
+ echo mypassword:http://www.my-domain.at/encrypted_keyfile
+ sed -n -e s/^\(.\+\):\(https:\/\/.\+\)$/\1/p
+ openssl_passphrase=
+ echo mypassword:http://www.my-domain.at/encrypted_keyfile+ sed -n -e s/^\(.\+\):\(https:\/\/.\+\)$/\2/p
+ url=
+ keyctl_id=crypttab:mypassword:http://www.my-domain.at/encrypted_keyfile
+ [ -gt 0 ]
sh: bad number
+ [ ! -x /bin/keyctl ]
+ [ -z ]
+ use_https=0
+ use_plymouth=0
+ [ -x /bin/plymouth ]
+ plymouth --ping
+ keyctl_try_fetch
+ [ 1 -eq 0 ]
+ keyctl search @u user crypttab:mypassword:http://www.my-domain.at/encrypted_keyfile
+ kSerial=keyctl_search: Required key not available
+ exitCode=1
+ [ 1 -eq 0 ]
+ [ 1 -ne 1 ]
+ https_try_fetch
+ [ 0 -eq 0 ]
+ return 0
+ askpass Getting passphrase remotely failed for . Enter passphrase:
+ [ ! -z ]
+ [ 0 -eq 1 ]
+ /lib/cryptsetup/askpass Getting passphrase remotely failed for . Enter passphrase: Getting passphrase remotely failed for . Enter passphrase: **
root@ubuntu:~#
eth0
as the relevant networking interface (which it won't be on any Ubuntu system at least)Looks as though BusyBox is clobbering /usr/bin/wget under Buster.
sorry for some questions about the script, i dont have much experience with codes on github.
First of all i'm not sure about the changes in the crypttab file. Before installing the script this file looked as this:
# old version without https-keyscript sda6_crypt UUID=5ed84861-73f9-4e2a-bf56-359c2142e717 none luks,discard
How to implement step 5? Is it something like this?
# new WITH https-keyscript
sda6_crypt UUID=5ed84861-73f9-4e2a-bf56-359c2142e717 none luks,discard,keyscript=wget_or_ask,initramfs somepassphrase:https://example.org/encrypted_keyfile
Is there something missing before "somepassphrase:...", e.g. a field name like "key file" or something?
Further i have a question about the fall back to ask for a pw if the keyfile is not found. Is the pw "somepassphrase" meant or another pw from another luks keyslot? Must "somepassphrase" be changed to the pw i would like to use or is it a field or option name?
I use the keyscript not on a server, but on my home desktop computer which is connected to the internet by wifi. Is there already on boot up a wifi connection so the script can query by https?
Thanks for helping a beginner :)
Current script returns:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
Why not using openssl defaults? Ending up with:
decrypted_keyfile=$(echo "$encrypted_keyfile" | openssl enc -base64 -d -salt -k "$openssl_passphrase")
sh expect $CRYPTTAB_TRIED (if [ "$CRYPTTAB_TRIED" -gt 0 ]; then) to be set so the following fails:
busybox sh /lib/cryptsetup/scripts/wget_or_ask "somepassphrase:https://example.org/encrypted_keyfile" > unencrypted_keyfile
the following works (but without passing by busybox):
CRYPTTAB_TRIED=0 /lib/cryptsetup/scripts/wget_or_ask "somepassphrase:https://example.org/encrypted_keyfile" > unencrypted_keyfile
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.