https-keyscript
https-keyscript copied to clipboard
stupidpupil
Allow a machine with an encrypted boot drive to passwordlessly boot by fetching a key over HTTPS.
- Added curl as dependency (busybox wget caused problems with tls connections, that's why I changed it to curl which it seems to work better ...) - Added openssl as...
- No need for real wget anymore, newer busybox wget works just fine with https urls - Add needed libraries for resolving
The booting mechanism is quiet different on systems like the raspberry pis. The correct time isn't yet set, so the ssl certificates of remote https servers will be invalid. ```...
sh expect $CRYPTTAB_TRIED (if [ "$CRYPTTAB_TRIED" -gt 0 ]; then) to be set so the following fails: busybox sh /lib/cryptsetup/scripts/wget_or_ask "somepassphrase:https://example.org/encrypted_keyfile" > unencrypted_keyfile the following works (but without passing by...
- Use configure_networking() in networking.sh (Fixes https://github.com/stupidpupil/https-keyscript/issues/4) - Wait for valid network connection - Deconfigure network in init-bottom/networking.sh
Newer distros have openssl 1.1 on board nowadays. (Fixes https://github.com/stupidpupil/https-keyscript/issues/7)
- Assumes `eth0` as the relevant networking interface (which it won't be on any Ubuntu system at least) - Assumes DHCP configuration
- Add networking hook for resolving - Remove now unecessary strace dependency in wget hook (Fixes https://github.com/stupidpupil/https-keyscript/issues/6)
wget and curl are comparable, but curl has I nice option: `--dns-servers`, with which you can specify the dns resolvers. With curl you wouldn't have to configure resolv.conf in initramfs...
Metadata
Owner
Metadata
Allow a machine with an encrypted boot drive to passwordlessly boot by fetching a key over HTTPS.