Arch Linux

gd.dev

Member

Registered: 2023-07-24

Posts: 4

[Solved] No network access to remotely unlock root encrypted partition

Hi,

Following the wiki (Dm-crypt/Specialties#Remote_unlocking_of_the_root_(or_other)_partition), I tried to setup remote unlocking of my root encrypted partition through ssh.

However, I have no ping and cannot ssh to the host (from the same network where I can ssh without any issue when the system is unlocked and running) when it is booting and asking for my passphrase to unlock the root partition.

I have a system with an ununcrypted UEFI boot partition, I use systemd-boot as boot loader and I am using systemd based initramfs (built with mkinitcpio), so I followed the specific instructions (wiki) based on mkinitcpio-systemd-extras AUR package and TinySSH.

Note: here is mkinitcpio-systemd-extras documentation, especially regarding networking and TinySSH server configurations.

Here are the steps that I followed:

1. Install mkinitcpio-systemd-extras AUR package and tinyssh:

yay -S mkinitcpio-systemd-extras tinyssh

2. Edit /etc/mkinitcpio.conf to add sd-network and sd-tinyssh to HOOKS list and to add the tinyssh config (it is also possible to change tinyssh server port with SD_TINYSSH_PORT=XX):

HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-network sd-tinyssh sd-encrypt lvm2 filesystems fsck)
SD_TINYSSH_COMMAND="systemd-tty-ask-password-agent --query --watch"

3. Since I use NetworkManager and not systemd-networkd for the network configuration on my system (hence /etc/systemd/network is empty on my system), I created a specific /etc/systemd/network-initramfs directory with the following default.network file (I use MAC address identification to avoid the issue with non predictable network interface during initramfs phase):

[Match]
MACAddress=YY:YY:YY:YY:YY:YY

[Network]
DHCP=yes

4. Configure sd-network to use /etc/systemd/network-initramfs config directory by adding the following line to /etc/mkinitcpio.conf:

SD_NETWORK_CONFIG=/etc/systemd/network-initramfs

5. Create /root/.ssh/authorized_keys with my ed25519 client ssh keys which is copied by sd-tinyssh when recreating initramfs image.

6. Run mkinitcpio -P to recreate the initramfs image.

7. Reboot and... nothing on the network (no ping, no ssh).

How can I debug this?

Per journalctl -xb, the networking and TinySSH server are started during boot phase before asking for the LUKS passphrase.

Boot log (up until I manually unlock the root partition directly on the system) are available here.

I try to run a rescue shell by adding systemd.unit=rescue.target to the boot loader entry but the shell opens after I unlock my encrypted partition and not before (maybe I did something wrong).

Note: according to boot log, the network interface corresponding to MAC address YY:YY:YY:YY:YY:YY that I set up in network configuration is found (search for eth1), and I check several times that the MAC address in the configuration file is correct.

Thanks in advance

Last edited by gd.dev (2024-09-03 09:36:05)

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,459

Re: [Solved] No network access to remotely unlock root encrypted partition

Your boot log shows the MAC is applied, but no dhcp request. You should disable networkmanager and enable systemd-networkd to configure (enable) the services until the network completely starts the connections. Since your configuration of the AUR package copies the network services to the initram, I assume that's simple to see when fully booted. After you see systemd-networkd requesting and completing dhcp, regenerate the initramfs and try again.

The rescue.target is aimed to reach single-user runlevel, it needs the unlocked root but not the network. There are special rd units like a rd.rescue.target, but the post-boot log itself should show enough along with ping.

gd.dev

Member

Registered: 2023-07-24

Posts: 4

Re: [Solved] No network access to remotely unlock root encrypted partition

So I did disable NetworkManager, enable systemd-networkd and systemd-resolved on my system (using the configuration file I posted above), then I rebuilt initramfs and it now works! I can remotely unlock my system.

Thank you very much!