summarylogtreecommitdiffstats
path: root/README.adoc
diff options
context:
space:
mode:
Diffstat (limited to 'README.adoc')
-rw-r--r--README.adoc139
1 files changed, 139 insertions, 0 deletions
diff --git a/README.adoc b/README.adoc
new file mode 100644
index 00000000000..aa2c441da46
--- /dev/null
+++ b/README.adoc
@@ -0,0 +1,139 @@
+= mkinitcpio Wireguard hook
+:author: David Harrigan
+:email: <dharrigan [@] gmail [dot] com>
+:docinfo: true
+:doctype: book
+:icons: font
+:numbered:
+:sectlinks:
+:sectnums:
+:setanchors:
+:source-highlighter: highlightjs
+:toc:
+:toclevels: 5
+
+== Rationale
+
+Firstly, encryption. Encrypt all the things.
+
+Secondly, I think https://www.wireguard.io[Wireguard] is pretty awesome. It's
+really easy to setup and use and works flawlessly (at least for me 😄).
+
+Thirdly, the ability to remotely unlock encrypted partitions is extremely
+useful. However, a limitation is that in order to remotely unlock the
+partition via SSH, you normally need to be on the same network (or at least
+routeable) to the computer that needs unlocking.
+
+As far as I could tell, there was nothing available in
+https://aur.archlinux.org[AUR] that provided a Wireguard hook for
+`mkinitcpio`. Creating a hook should allow a basic Wireguard interface to be
+established so that - via a secure network - you could gain access to the
+remote machine. This is my small attempt to achieve that aim.
+
+IMPORTANT: I developed this little hook for myself and I'm releasing it into
+the general community in the (probably misguided) hope that others may find it
+useful too. As usual, no warranty implied or otherwise is given towards the
+fitness of this software in meeting *YOUR* needs. Please refer to the included
+https://unlicense.org[Unlicense] license file for more information. That said,
+I find this little hook useful - perhaps you may too - so please enjoy! Oh,
+and please be be awesome to each other!
+
+WARNING: Ensure you have read the Arch wiki section on
+https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_of_the_root_(or_other)_partition[remote
+unlocking]. It's a *very* good idea to get remote unlocking working *first* on
+your local network - proving that it works for you (this includes using either
+*tinyssh* or *dropbear* to authenticate and unlock successfully)
+- *before* attempting to setup this mkinitcpio Wireguard hook for remote
+unlocking.
+
+IMPORTANT: It is also *strongly* recommend that a *separate* Wireguard network
+is setup and configured *just* for unlocking. You see, a private key (and a
+public key) and a configuration file are written to the ramdisk (which
+typically lives in an unencrypted boot partition). It's super trivially easy
+for anyone to copy this ramdisk, extract out the contents and use the private
+key and Wireguard configuration found therein to connect to your Wireguard
+network. As a minimum, you could disable (on the remote peer *nominally called
+the `server`*) the ability for the target machine (the `client` - the one on
+which you are remotely unlocking partitions) to connect and authenticate -
+only enabling connection *when* and *if* required. Please be careful and think
+this through! Safety first!
+
+== OS Installation
+
+Standard installation rules apply. Here's an example using the
+https://github.com/Jguer/yay[yay] package manager to install the utility.
+
+`yay -S mkinitcpio-wireguard`
+
+Please refer to your favourite package manager's documentation in learn how to
+install it for you 😄
+
+NOTE: Obviously, you must also install Wireguard! Choose either manual
+installation (using git and compiling it yourself), or using `wireguard-arch`
+or `wireguard-dkms`. Life is short, so personally I just roll with
+`wireguard-arch`. Seems to work OOTB for me, but YMMV...
+
+== Configuration
+
+IMPORTANT: The setup and running of `mkinitcpio-wireguard` is *very* basic and
+makes *lots* of assumptions. *This is intentional!* This hook is simple
+because it is designed to get a minimal Wireguard up and running so that you
+can remotely unlock encrypted partitions. The script does not attempt to do
+anything else. This script will never be super fancy or clever.
+
+WARNING: Please read and familiarise yourself with how Wireguard works. In
+particular, please refer to the *numerous* examples online of how to setup and
+configure Wireguard. It is *strongly* suggested you get Wireguard up and
+running first. A few examples of where to find documentation are listed below:
+
+* https://wiki.archlinux.org/index.php/WireGuard
+* https://www.wireguard.com/quickstart/
+* https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8
+
+After installing `mkinitcpio-wireguard`, a configuration file will be written
+to `/etc/wireguard/remote-unlock`. You *MUST* edit this file to suit your
+particular Wireguard requirements. The file is really simple and therefore
+should be pretty self-explanatory.
+
+NOTE: If you have an existing `wg0.conf` in your `/etc/wireguard` directory,
+you can use the contents of that file as a reference. Please be aware of the
+warning above concerning the recommended use of a separate network for remote
+unlocking.
+
+== Hook Installation
+
+After you have edited the `/etc/wireguard/remote-unlock` file to suit your
+needs, ensure that you've added the `wireguard` hook to the *HOOKS* array of
+`/etc/mkinitcpio.conf`. Shown below is an example that also includes the use
+of `netconf`, `tinyssh` and `encryptssh`.
+
+----
+HOOKS=(base udev autodetect keyboard keymap modconf block netconf wireguard tinyssh encryptssh filesystems fsck)
+----
+
+== Final Steps
+
+Lastly, run (as root):
+
+----
+mkinitcpio -P
+----
+
+This will regenerate the ramdisk with your Wireguard configuration.
+
+You should now be able to reboot your machine and after the interface has come
+up be able to ping it via your Wireguard network! You should now also be able
+to SSH to the machine (you did remember to set that all up before doing this,
+right?) and unlock any encrypted partitions and thus enable the continuation
+of your boot process! FTW!
+
+== Unlicensed
+
+Find the full unlicense in the UNLICENSE file, but here's a snippet.
+This is free and unencumbered software released into the public domain.
+
+----
+Anyone is free to copy, modify, publish, use, compile, sell, or distribute
+this software, either in source code form or as a compiled binary, for any
+purpose, commercial or non-commercial, and by any means.
+----