r-pufky
commented
2 years ago I should be more specific in those instructions, as I've gotten a few questions about it (as there is a keypair for wireguard on boot, one for dropbear (SSH), one for your encrypted root FS. and ideally a separate keypair for wireguard when the system is running).
without storing key material or exposing ports on the remote network
This is specifically referring to remotely storing encrypted root FS key material used to unlock the drive. Typical solutions are to use a physical USB drive, a set of bits on a hidden partition somewhere, or trust another person. Accessing this remotely removes the need to store this material remotely.
I covered the ports portion below.
Wireguard installed, configured and in a "known working" state.
This comment is to help prevent people from shooting themselves in the foot and ensuring the underlying systems being used are working appropriately before attempting to do boot configurations; essentially meaning that the person setting it up knows all the other systems are working before dealing with boot setup.
Wouldn't this require local keys and opening ports on the machine?
This is explained a bit in the config file as well as in the setup documentation; but I'll run over it here as well.
Local keys:
- Most /boot FS are unencrypted, so any material on initramfs should be considered untrusted; hence wireguard on boot (including dropbear ssh keys, and potentially clevis pins) would be classified as such.
- Wireguard should use a unique keypair for the boot configuration as it is untrusted and put on a separate point-to-point network with the wireguard endpoint (with appropriate firewalling).
- When the machine is running, if wireguard is being used post-boot, should be using different keys on a different wireguard network.
Opening ports: This does not mean that the remote machine (the machine booting with wireguard-initramfs) will not have a connection open to contact the wireguard endpoint (it will be a random outbound connection over UDP to the wireguard endpoint).
It means that situations where the remote machine is behind NAT or otherwise unreachable with inbound connections, it will not matter anymore -- the wireguard tunnel will be brought up and you can access the machine remotely during boot. The wireguard endpoint just needs to be reachable from the remote machine -- in a majority of cases, this means the remote machine is connected to a network with Internet access.
Hope that helps!
mrbluecoat
Hi, this looks really promising - great job! Quick question, your instructions say
but later says a prerequisite is
Wouldn't this require local keys and opening ports on the machine?