I have had setting up network unlock for my Centos based hypervisor for several years, and I finally set the time aside to try it a second time and am running into a road block. I do not want to ssh to a dropbear initramfs, I want this to be automatic as long as I've unlocked a central server.
The basic concept I want to achieve:
- Store the keyfile/password on an "always on" system, within a luks encrypted volume (just a raw file encrypted as luks and an ext4 filesystem)
- The keyfile/password for each boot volume I need to unlock is stored in this volume
- When I need to unlock systems after a reboot, I ensure this volume is unlocked and mounted
- The encrypted system has a keyscript, ssh-key, and initramfs networking enabled
- The keyscript runs "ssh [email protected] cat /mnt/keys/hostname" which outputs the password in a simple implementation
- This would then unlock the boot volume and the system would startup without manual intervention, such as connecting to a dropbear/ssh and running commands
- When no-systems need to be unlocked, the keyfile volume is closed on the keyserver
I run Centos Stream, and it appears that keyscript is not supported in centos stream 8 per "man crypttab"
I've installed the required files, and in the pre-boot environment, I can run /usr/local/sbin/keyscript.sh and see the password written to stdout, however two issues appear
- without _netdev in crypttab, the network startsup immediately after prompting for the password
- with netdev, no ssh connection is seen on the keyserver, indicating the keyscript is not being run
Is keyscript support in Centos stream 8 enabled by a package I'm not aware of, or is this a feature of Centos stream 9? Otherwise, it looks like I will be switching to Debian for the next rebuild of my hypervisors, which is disappointing.
