Hi foks, I am using dietpi on RPi4, installed on an M.2 SATA SSD via a Berryboot image (DietPi (Bullseye) for all Raspberry Pi Devices (2021.08.13)) available here.
The SSD is fully encrypted (LUKS, via Berryboot at installation) and I am trying to set up openssh-initramfs so I can do full remote login (i.e., be able to provide disk encryption password via SSH). I have selected OpenSSH as SSH server on dietpi via dietpi-software.
I also installed initramfs-tools as the dietpi image didn’t come with it (and busybox). There were a few errors while installing initramfs-tools, which were fixed with apt --fix-install. I then installed openssh-initramfs using the pre-built package. The /etc/initramfs-tools/ and /etc/openssh-initramfs/ directories show up as expected.
Then following the configuration instructions for openssh-initramfs and setting up the ssh config files, I tried both sudo update-initramfs -u as “dietpi” user and update-initramfs -u as “root”. But the configurations don’t seem to be updating. I don’t see the usual update-initramfs: Generating /boot/initrd.img-xxx message and there are no initrd images in /boot/, and of course I don’t have ssh access at boot.
Would appreciate some pointers on (a) What I may be doing wrong and how to fix it and (b) suggestions on alternative (preferably simpler) ways to set up ssh access during boot.
Edit: I now realise that with update-initramfs -u I am trying to update an initrd image that does not exist! I will try creating one first. But does dietpi have a different preferred option for this, since initrd-tools does not come pre-installed and an initial initrd image does not exist?
Thanks.
it is not really using OpenSSH but it might going to help you
We had a larger discussion on file system encryption in general on this GitHub post https://github.com/MichaIng/DietPi/issues/3377
During the conversation a user shared quite a good guide for the entire topic https://github.com/MichaIng/DietPi/issues/3377#issuecomment-895674210
one part of the guide was on how to decrypt the root partition via SSH https://github.com/keks24/raspberry-pi-luks#decrypting-the-root-partition-via-ssh
personally I did a test and it was working well for me.
Many thanks Joulinar for the very helpful links. I am going to try and adapt that to OpenSSH - the discussions gave me some useful ideas.
But if I do have to fall back to dropbear, do you happen to know if there are any potential conflicts if I use dropbear for the boot SSH and OpenSSH once the machine is booted? Or do they co-exist harmoniously?
Thanks again.
honestly I never used OpenSSH as SSH server. So I can’t tell. But I guess the one used for initramfs is not the same as for the regular SSH session. Something you would need to try.
Sure, I’m tinkering with these now.
Going through the links you provided, there is one part that stumps me: in decryption with SSH, the authorized_keys has command="/usr/bin/cryptroot-unlock" included. I have separately installed the packages used, but I don’t seem to get that binary through any of those. The guide itself does not mention it anywhere else.
Since you have tested this already, would you be able to point me to what this refers to? For now, I am working under the assumption that it is only the decryption part I need to follow for now as I already have the disk encrypted.
Many thanks.
hmm honestly I did not take care if the file exist. I just followed the guide. Maybe the path is valid on the running temp SSH server only, used to decrypt the image.