Last active
December 22, 2015 06:09
Revisions
-
Smenus revised this gist
Sep 3, 2013 . 1 changed file with 56 additions and 56 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -11,59 +11,59 @@ _Source for this part of the guide was [here](https://wiki.debian.org/DebianInst 1. Get Debian installer source and dependencies. apt-get install dpkg-dev apt-get source debian-installer apt-get build-dep debian-installer 2. Enable `network-console` by adding the following to the top of `build/pkg-lists/netboot/<arch>.cfg`. Replace `<arch>` with your architecture. In my case this was amd64. #include "network-console" 3. Create a `preseed.cfg` file for the installer (I created it in `~`). This defaults values that would otherwise be asked for, which you won't be able to answer as they all come before (or are) the network setup. The following are the values I used, at the very least you need to set the locale and keymap, and setup the network and `network-console`. The `pkg-sel` line is for `dropbear`, which we need later. d-i debian-installer/locale string en_US d-i keymap select us d-i keyboard-configuration/xkb-keymap select us d-i keyboard-configuration/variant select American English d-i debconf/priority select critical d-i auto-install/enabled boolean true d-i netcfg/choose_interface select eth0 d-i netcfg/disable_dhcp boolean true d-i netcfg/get_nameservers string <name server> d-i netcfg/get_ipaddress string <IP address> d-i netcfg/get_netmask string <netmask> d-i netcfg/get_gateway string <gateway> d-i netcfg/confirm_static boolean true d-i netcfg/get_hostname string <host> d-i netcfg/get_domain string <domain.tld> d-i network-console/password password <password> d-i network-console/password-again password <password> d-i pkgsel/include string busybox dropbear 4. Create `build/config/local` with the following. Obviously change the `preseed.cfg` path if you didn't save it in `~`, and change stable if you want to use testing or a specific code name. PRESEED=~/preseed.cfg USE_UDEBS_FROM=stable 5. Change into the `build` directory and build the netboot image. fakeroot make rebuild_netboot 6. Copy the `initrd.gz` and `linux` in `build/dest/netboot/debian-installer/<arch>/` to `/boot/` as `debian-installer-rd.gz` and `debian-installer` respectively. 7. Update your bootloader to point to these new files. As I couldn't change which entry was chosen at boot, I just edited the first entry in `/boot/grub/grub.cfg`, but YMMV. Below is what I changed my grub lines to. menuentry 'Debian Installer' --class debian --class gnu-linux --class gnu --class os { load_video insmod gzio insmod part_msdos insmod ext2 set root='(hd0,msdos1)' echo 'Loading Installer ...' linux /boot/debian-installer rw ramdisk_size=24000 root=/dev/rd/0 echo 'Loading Installer Ramdisk ...' initrd /boot/debian-installer-rd.gz } 8. Reboot and cross your fingers! After a while, you should be able to ping the machine again, and can log in with `ssh installer@<ip address>`. The password is as chosen earlier in the `preseed.cfg`. @@ -83,46 +83,46 @@ _Source for this part of the guide, as well as the unlocking script is [here](ht 2. Mount special devices to the new system and chroot to it so that you can update the ramdisk later. cd /target mount -t proc proc proc/ mount -t sysfs sys sys/ mount -o bind /dev dev/ chroot . /bin/bash 3. Get the generated SSH keys for `dropbear`. I couldn't get SCP to work at this point, so had to use `cat`. Paste the results of cat into a local file, such as `~/.ssh/id_rsa-unlock` and `~/.ssh/id_rsa-unlock.pub`. cat /etc/initramfs-tools/root/.ssh/id_rsa cat /etc/initramfs-toold/root/.ssh/id_rsa.pub 4. Add your ethernet drivers to `/etc/initramfs-tools/modules`. Don't be shy here, if you're not sure which ethernet drivers from `lsmod` are the right ones, put them all in! I don't know of any downsides to that strategy, and if you don't get the actual driver in there, you won't be able to unlock your rootfs! I think the top one was what I needed, but the others were loaded too. 8139too e1000e e100 e1000 r8169 5. Edit `/etc/initramfs-tools/initramfs.conf`. DEVICE=eth0 IP=<ip address>::<gateway>:<netmask>:<hostname>:eth0:off DROPBEAR=y 6. Download unlocking script and `chmod` it. cd /etc/initramfs-tools/hooks wget http://projectgus.com/files/headless_cryptroot/mount_cryptroot chmod +x mount_cryptroot 7. Rebuild the ramdisk. update-initramfs -u -t 8. Exit the `chroot`, then the shell, and finish installation. 9. Keep your fingers, toes and everything else crossed. Eventually you should be able to ping the server again, and login with SSH. ssh -i ~/.ssh/id_rsa-unlock root@<ip address> It might be a good idea to add this to your SSH config (`~/.ssh/config`): -
Sep 3, 2013 . 1 changed file with 15 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,14 +10,17 @@ _These instructions need an existing Debian install, although Ubuntu might work _Source for this part of the guide was [here](https://wiki.debian.org/DebianInstaller/Remote)_ 1. Get Debian installer source and dependencies. apt-get install dpkg-dev apt-get source debian-installer apt-get build-dep debian-installer 2. Enable `network-console` by adding the following to the top of `build/pkg-lists/netboot/<arch>.cfg`. Replace `<arch>` with your architecture. In my case this was amd64. #include "network-console" 3. Create a `preseed.cfg` file for the installer (I created it in `~`). This defaults values that would otherwise be asked for, which you won't be able to answer as they all come before (or are) the network setup. The following are the values I used, at the very least you need to set the locale and keymap, and setup the network and `network-console`. The `pkg-sel` line is for `dropbear`, which we need later. d-i debian-installer/locale string en_US d-i keymap select us d-i keyboard-configuration/xkb-keymap select us @@ -38,15 +41,18 @@ _Source for this part of the guide was [here](https://wiki.debian.org/DebianInst d-i pkgsel/include string busybox dropbear 4. Create `build/config/local` with the following. Obviously change the `preseed.cfg` path if you didn't save it in `~`, and change stable if you want to use testing or a specific code name. PRESEED=~/preseed.cfg USE_UDEBS_FROM=stable 5. Change into the `build` directory and build the netboot image. fakeroot make rebuild_netboot 6. Copy the `initrd.gz` and `linux` in `build/dest/netboot/debian-installer/<arch>/` to `/boot/` as `debian-installer-rd.gz` and `debian-installer` respectively. 7. Update your bootloader to point to these new files. As I couldn't change which entry was chosen at boot, I just edited the first entry in `/boot/grub/grub.cfg`, but YMMV. Below is what I changed my grub lines to. menuentry 'Debian Installer' --class debian --class gnu-linux --class gnu --class os { load_video insmod gzio @@ -76,42 +82,50 @@ _Source for this part of the guide, as well as the unlocking script is [here](ht 1. Drop to a shell with `Execute a shell`. 2. Mount special devices to the new system and chroot to it so that you can update the ramdisk later. cd /target mount -t proc proc proc/ mount -t sysfs sys sys/ mount -o bind /dev dev/ chroot . /bin/bash 3. Get the generated SSH keys for `dropbear`. I couldn't get SCP to work at this point, so had to use `cat`. Paste the results of cat into a local file, such as `~/.ssh/id_rsa-unlock` and `~/.ssh/id_rsa-unlock.pub`. cat /etc/initramfs-tools/root/.ssh/id_rsa cat /etc/initramfs-toold/root/.ssh/id_rsa.pub 4. Add your ethernet drivers to `/etc/initramfs-tools/modules`. Don't be shy here, if you're not sure which ethernet drivers from `lsmod` are the right ones, put them all in! I don't know of any downsides to that strategy, and if you don't get the actual driver in there, you won't be able to unlock your rootfs! I think the top one was what I needed, but the others were loaded too. 8139too e1000e e100 e1000 r8169 5. Edit `/etc/initramfs-tools/initramfs.conf`. DEVICE=eth0 IP=<ip address>::<gateway>:<netmask>:<hostname>:eth0:off DROPBEAR=y 6. Download unlocking script and `chmod` it. cd /etc/initramfs-tools/hooks wget http://projectgus.com/files/headless_cryptroot/mount_cryptroot chmod +x mount_cryptroot 7. Rebuild the ramdisk. update-initramfs -u -t 8. Exit the `chroot`, then the shell, and finish installation. 9. Keep your fingers, toes and everything else crossed. Eventually you should be able to ping the server again, and login with SSH. ssh -i ~/.ssh/id_rsa-unlock root@<ip address> It might be a good idea to add this to your SSH config (`~/.ssh/config`): Host unlock HostName <ip address> Port 22 -
Sep 3, 2013 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,128 @@ # Remote Debian Installation with Encrypted RootFS This is a quick run-down of how I installed Debian on my dedicated server (@ OVH - super cheap!), and managed to setup an encrypted rootfs with ssh during boot to unlock. This is both for the offchance that I'll have to do it again, and if anyone else is wanting to do the same thing. There are a few guides out there to get the unlocking over SSH, and a few for remote installation of Debian, but none that combine the two. _These instructions need an existing Debian install, although Ubuntu might work too._ ## 1. Preparing Remote Installation _Source for this part of the guide was [here](https://wiki.debian.org/DebianInstaller/Remote)_ 1. Get Debian installer source and dependencies. apt-get install dpkg-dev apt-get source debian-installer apt-get build-dep debian-installer 2. Enable `network-console` by adding the following to the top of `build/pkg-lists/netboot/<arch>.cfg`. Replace `<arch>` with your architecture. In my case this was amd64. #include "network-console" 3. Create a `preseed.cfg` file for the installer (I created it in `~`). This defaults values that would otherwise be asked for, which you won't be able to answer as they all come before (or are) the network setup. The following are the values I used, at the very least you need to set the locale and keymap, and setup the network and `network-console`. The `pkg-sel` line is for `dropbear`, which we need later. d-i debian-installer/locale string en_US d-i keymap select us d-i keyboard-configuration/xkb-keymap select us d-i keyboard-configuration/variant select American English d-i debconf/priority select critical d-i auto-install/enabled boolean true d-i netcfg/choose_interface select eth0 d-i netcfg/disable_dhcp boolean true d-i netcfg/get_nameservers string <name server> d-i netcfg/get_ipaddress string <IP address> d-i netcfg/get_netmask string <netmask> d-i netcfg/get_gateway string <gateway> d-i netcfg/confirm_static boolean true d-i netcfg/get_hostname string <host> d-i netcfg/get_domain string <domain.tld> d-i network-console/password password <password> d-i network-console/password-again password <password> d-i pkgsel/include string busybox dropbear 4. Create `build/config/local` with the following. Obviously change the `preseed.cfg` path if you didn't save it in `~`, and change stable if you want to use testing or a specific code name. PRESEED=~/preseed.cfg USE_UDEBS_FROM=stable 5. Change into the `build` directory and build the netboot image. fakeroot make rebuild_netboot 6. Copy the `initrd.gz` and `linux` in `build/dest/netboot/debian-installer/<arch>/` to `/boot/` as `debian-installer-rd.gz` and `debian-installer` respectively. 7. Update your bootloader to point to these new files. As I couldn't change which entry was chosen at boot, I just edited the first entry in `/boot/grub/grub.cfg`, but YMMV. Below is what I changed my grub lines to. menuentry 'Debian Installer' --class debian --class gnu-linux --class gnu --class os { load_video insmod gzio insmod part_msdos insmod ext2 set root='(hd0,msdos1)' echo 'Loading Installer ...' linux /boot/debian-installer rw ramdisk_size=24000 root=/dev/rd/0 echo 'Loading Installer Ramdisk ...' initrd /boot/debian-installer-rd.gz } 8. Reboot and cross your fingers! After a while, you should be able to ping the machine again, and can log in with `ssh installer@<ip address>`. The password is as chosen earlier in the `preseed.cfg`. ## 2. Install Debian The installation should go as usual, choose the expert install and follow the steps. When it comes to partitioning, if the HDD is pretty big, you probably won't want to use the guided crypto option, as it will take forever and SSH will kick you out long before it finishes. I set up the partitions manually, being sure to uncheck the erase HDD option for the encryption part. Sure this isn't as perfect as it could have been, but the wiping takes *forever*. *Don't complete the installation - go to the next section!* _If it'd help, I could redo this in a VM to get a screenshot of my setup - let me know_ ## 3. Setup `dropbear` unlocking _Source for this part of the guide, as well as the unlocking script is [here](http://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/)_ 1. Drop to a shell with `Execute a shell`. 2. Mount special devices to the new system and chroot to it so that you can update the ramdisk later. cd /target mount -t proc proc proc/ mount -t sysfs sys sys/ mount -o bind /dev dev/ chroot . /bin/bash 3. Get the generated SSH keys for `dropbear`. I couldn't get SCP to work at this point, so had to use `cat`. Save these files, you'll need them to access SSH for unlocking. cat /etc/initramfs-tools/root/.ssh/id_rsa cat /etc/initramfs-toold/root/.ssh/id_rsa.pub 4. Add your ethernet drivers to `/etc/initramfs-tools/modules`. Don't be shy here, if you're not sure which ethernet drivers from `lsmod` are the right ones, put them all in! I don't know of any downsides to that strategy, and if you don't get the actual driver in there, you won't be able to unlock your rootfs! I think the top one was what I needed, but the others were loaded too. 8139too e1000e e100 e1000 r8169 5. Edit `/etc/initramfs-tools/initramfs.conf`. DEVICE=eth0 IP=<ip address>::<gateway>:<netmask>:<hostname>:eth0:off DROPBEAR=y 6. Download unlocking script and `chmod` it. cd /etc/initramfs-tools/hooks wget http://projectgus.com/files/headless_cryptroot/mount_cryptroot chmod +x mount_cryptroot 7. Rebuild the ramdisk. update-initramfs -u -t 8. Exit the `chroot`, then the shell, and finish installation. 9. Keep your fingers, toes and everything else crossed. Eventually you should be able to ping the server again, and login with SSH. ssh -i ~/.ssh/id_rsa-unlock root@<ip address> It might be a good idea to add this to your SSH config (`~/.ssh/config`): Host unlock HostName <ip address> Port 22 User root IdentityFile ~/.ssh/id_rsa-unlock UserKnownHostsFile ~/.ssh/known_hosts-unlock Then you can just use `ssh unlock`. ## Done! --- If there are any mistakes, or any steps aren't clear, please let me know.