Using dracut-sshd to unlock a luks' encrypted system

I use dracut-sshd on my Tumbleweed machines so I’m able to unlock the encryption over ssh on my encrypted system with great success, and I’d love to be able to use it on my Silverblue workstations so when I’m remote I’m able to unlock them after an update.

Is there anybody who tried to use it once layered into the system to be able to use it on the generated initramfs?

I did build a rpm package in toolbox, and I’d be layering it with rpm-ostree into the system.

1 Like

thank you for introducing me to dracut-sshd !

I think it is possible if you layer RPM package, but you have to execute rpm-ostree initramfs --enable. It is because dracut-sshd must be in initramfs image to work. In Silverblue, the initramfs is prebuilt and included in the system image, so if you layer dracut-sshd it will not be in your prebuilt initramfs. The command that I mentoried above enables the local initramfs generating during rpm-ostree operations, so dracut-sshd should be now in your initramfs and working.

Ok, an update from me; once you layer dracut-network, and --enable initramfs, it does build and try to include sshd into the initramfs, but it fails to include the /root/.ssh/authorized_keys even tho there is one in the root directory.

oct 10 21:55:13 sulaco.lan rpm-ostree[21924]: dracut: No authorized_keys for root user found!

sudo ls -l /root/.ssh/authorized_keys
-rw-------. 1 root root 11986 10 oct 20:33 /root/.ssh/authorized_keys

My guess would be that /root/.ssh isn’t visible in the dracut phase, so, that would explain why it doesn’t work.

Any idea why is that?

Perhaps the fs isn’t mounted yet?

This is what I assumed.

Is there a way to force the dracut process to mount /var/roothome/ so the creation of the initramfs complete successfully ?

Meanwhile, I just inserted a an extra key in the boot process located on an usb key dongle so my encrypted machine boots without human intervention.

have you /var partition encrypted? If yes, then it is not mounted because you need to decrypt it first. So, it is a cirrcut, you need to mount the partition to decrypt it, but you need to decrypt it for mounting. I guess it can be issue such like this.

To do this on Silverblue you have to enable it via rpm-ostree. With rpm-ostree initramfs --enable to enable local initramfs creation. The -r or --reboot option will force a reboot after operation is complete. See rpm-ostree initramfs --help for details about it. I think after enabling, you make your initramfs as you did already, reboot, then disable local generation again when satisfied. At least thats how I think you should go about doing it in SB. You can also get the Grub menu up at boot and edit the kernel args line for the commit you are doing this on.
[Edit] My bad, I should have re-read your post! You did this already.NM then