dyindude
commented
6 years ago - at a bare minimum, key from thumb drive
- multiple key locations
- passphrase as backup? will have to think about this
Closed dyindude closed 4 years ago
dyindude
commented
6 years ago dyindude
commented
6 years ago now that I have real hardware running this, this is a real-er issue for me. have a few thoughts on how I want to approach this, probably use multiple variants in tandem
dyindude
commented
6 years ago https://github.com/gasparch/ubuntu-luks-autounlock has some examples we could pull from
dyindude
commented
6 years ago https://askubuntu.com/questions/101801/set-up-eth0-network-interface-using-dhcp-in-initramfs example of bringing up networking in initrd
dyindude
commented
6 years ago https://help.ubuntu.com/community/DisklessUbuntuHowto example here on how the ip= parameter could be configured for a static ip
dyindude
commented
6 years ago dyindude
commented
6 years ago https://unix.stackexchange.com/questions/92853/adding-a-file-to-etc-of-initramfs-in-debian-wheezy
http://manpages.ubuntu.com/manpages/xenial/man8/initramfs-tools.8.html copy-exec for adding binaries (e.g. arp) to initramfs
dyindude
commented
6 years ago https://askubuntu.com/questions/59487/how-to-configure-lvm-luks-to-autodecrypt-partition some okay examples here
dyindude
commented
6 years ago dyindude
commented
4 years ago https://askubuntu.com/questions/906870/luks-keyscript-being-ignored-asks-for-password seems it may be more straightforward nowadays
dyindude
commented
4 years ago another place I would be interested to retrieve a key from is hashicorp vault. The current plan is to stabilize building a vagrant box, then build a project that uses the box as a base for testing different key source implementations (probably starting with an "insecure" script like shown in the last comment's url)
dyindude
commented
4 years ago as far as PXE booting goes - I've been wayyy overcomplicating things. The devices that I want to PXE boot, it should be fine to use MBR/legacy boot - as no GPT device will be used as the boot device. I'll chase this down with some examples in vagrant/virtualbox to get a simple, MBR-capable pxe setup, then test it with the M700 on our unifi network when it comes in next week
dyindude
commented
4 years ago initial test of pxe with undionly.kpxe is successful. 32bit for this is probably fine, but I might look into a 64bit build may also still test chainloading efi via the same method (snp.efi/snponly.efi via tftp) since every device should support this - but one of the cons of efi is that I can't test the boot cycle in vbox (may still be able to in qemu, see https://boot.alpinelinux.org/) some examples here: https://wiki.fogproject.org/wiki/index.php/IPXE
dyindude
commented
4 years ago the 32-luks branch has some work we did last year on this, so don't forget to reference that nevermind, I remember going down this road and I think some of the other links I've found more recently provide a more straightforward method
dyindude
commented
4 years ago insecure boot method has been tested https://askubuntu.com/questions/101801/set-up-eth0-network-interface-using-dhcp-in-initramfs looks like a good place to start for network-aware booting
dyindude
commented
4 years ago have a working example (have to copy some files from rootfs, since it relies on arp, ping, and head) in a vagrant box that I will commit soon
dyindude
commented
4 years ago two examples implemented in 2fa342e3ea44528e336ace1fd1c6bcbbe282ecf0