wurzel/fruitbasket
9
1
Fork 0
Code Issues 5 Pull requests Packages Projects Releases Wiki Activity

quitte: enable ssh in initrd #81

Merged
fugidev merged 1 commit from initrd-ssh into main 2024-01-29 16:11:00 +01:00
Conversation 2 Commits 1 Files changed 2 +20
fugidev commented 2024-01-25 19:50:37 +01:00 (Migrated from github.com)
Copy link

Another host key needs to be generated, see modules/initrd-ssh.nix.

Unless your bootloader supports initrd secrets, these keys are stored insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you'll expose them to regular users!

Additionally, even if your initrd supports secrets, if you're using initrd SSH to unlock an encrypted disk then using your regular host keys exposes the private keys on your unencrypted boot partition.

Since we use systemd-boot, we're fine.

Another host key needs to be generated, see `modules/initrd-ssh.nix`. > Unless your bootloader supports initrd secrets, these keys are stored insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you'll expose them to regular users! > > Additionally, even if your initrd supports secrets, if you're using initrd SSH to unlock an encrypted disk then using your regular host keys exposes the private keys on your unencrypted boot partition. Since we use systemd-boot, we're fine.
rouven0 commented 2024-01-26 01:08:34 +01:00 (Migrated from github.com)
Copy link

Lgtm.

Also thought about enabling boot.initrd.systemd at some point. Do you know if this still works then?

Lgtm. Also thought about enabling `boot.initrd.systemd` at some point. Do you know if this still works then?
fugidev commented 2024-01-27 18:24:49 +01:00 (Migrated from github.com)
Copy link

Also thought about enabling boot.initrd.systemd at some point. Do you know if this still works then?

No idea tbh, but we could try it in a vm

> Also thought about enabling `boot.initrd.systemd` at some point. Do you know if this still works then? No idea tbh, but we could try it in a vm
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: wurzel/fruitbasket#81
No description provided.
Delete branch "initrd-ssh"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?