dracut-sshd
wireguard-initramfs
dracut-sshd | wireguard-initramfs | |
---|---|---|
7 | 10 | |
204 | 275 | |
- | - | |
4.6 | 4.7 | |
about 1 month ago | 4 months ago | |
Shell | Shell | |
- | The Unlicense |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
dracut-sshd
- Tinyssh
-
home server encryption
There is also dracut-sshd, which works great for distros using - surprise - dracut.
-
Encryption with NAS Volume
Personally, I'm running OpenSuse Tumbleweed and used the graphical installer this time out of convenience. If you want to remotely unlock it over ssh, I can recommend https://github.com/gsauthof/dracut-sshd. Works pretty well.
-
I switched to MicroOS GNOME and I don't think I'm returning back to regular distributions
The only thing that prevented me from going with MicroOS during my last server install was uncertainty about how well it would handle remote unlocking of luks system encryption for which I'm using dracut-sshd.
-
Getting WiFi to Connect Early (for dracut-sshd).
I'm trying to use the dracut-sshd package on Fedora 35. The instructions only describe how to use dracut-network and networkd to get a wired internet connection during boot (for SSH to work). I'm completely unfamiliar with these so I'm not sure what to change in order to make it work with a wireless connection instead. I tried changing their example in various ways with no luck.
- Remotely unlocking headless server
-
Remote unlocking encrypted system via ssh doesn't work!
I prefer this https://github.com/gsauthof/dracut-sshd
wireguard-initramfs
- How to avoid typing password of LUKS encrypted server every boot?
-
Fedora Workstation Aiming To Improve Encryption, Possibly Encrypted Disk By Default In The Future
Some other interesting things are providing keys over the network, or leveraging Wireguard and SSH to remotely unlock.
-
Encrypt Raspberry Pi?
For vulnerabilities: even if dropbear was vulnerable in some way, itโs running in a pre-boot initramfs with a restricted shell which can be locked down even further to prevent escalation. To add another layer of security, you can run Wireguard in initramfs and have dropbear configured to be accessible from only the vpn network: https://github.com/r-pufky/wireguard-initramfs
-
I self host on my desktop, but it likes to crash. Any advice on remotely resetting a frozen system?
Once you manage to reset the system, wireguard-initramfs should work if you need to SSH into it from outside the LAN, though the project is only currently supported on Debian. Within the LAN, dropbear in your initramfs should be enough.
-
How can I encrypt the whole disk on cloud hosts to prevent them from seeing my data in backups/snapshots?
There are other initramfs packages available that expand features such as wireguard capability: https://github.com/r-pufky/wireguard-initramfs
- Connect to remote encrypted SSH Client
- r-pufky/wireguard-initramfs - Enables wireguard networking during kernel boot, before encrypted partitions are mounted. Combined with dropbear this can enable FULLY ENCRYPTED remote booting without storing key material or exposing ports on the remote network.
-
wireguard-initramfs for debian bullseye (e.g. dropbear over wireguard) [working]
FYI, this is now the case. 2021-07-04
Just posted the first rev of wireguard-initramfs for debian bullseye.
What are some alternatives?
dracut-crypt-ssh - dracut initramfs module to start dropbear sshd during boot to unlock the root filesystem with the (cryptsetup) LUKS passphrase remotely
ramroot - Load root file system to ram during boot.
dracut - dracut the event driven initramfs infrastructure
yubikey-full-disk-encryption - Use YubiKey to unlock a LUKS partition
u-root - A fully Go userland with Linux bootloaders! u-root can create a one-binary root file system (initramfs) containing a busybox-like set of tools written in Go.
ubuntu-server-zfsbootmenu - Ubuntu zfsbootmenu install script
initramfs-tools-tailscale - Tailscale enabled initramfs
pi-encrypted-boot-ssh - ๐ Raspberry Pi Encrypted Boot with Remote SSH
zfsbootmenu - ZFS Bootloader for root-on-ZFS systems with support for snapshots and native full disk encryption
wireguard-install - WireGuard road warrior installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora