summarylogtreecommitdiffstats
path: root/README.adoc
blob: 30d6305500b91db4b14001ab1ff65e75eb18dce5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
= mkinitcpio Wireguard hook
:author: David Harrigan
:email: <dharrigan [@] gmail [dot] com>
:docinfo: true
:doctype: book
:icons: font
:numbered:
:sectlinks:
:sectnums:
:setanchors:
:source-highlighter: highlightjs
:toc:
:toclevels: 5

== ChangeLog

IMPORTANT: Until this package has stabilised and until it has reached a 1.0.0
release, *please be very careful* to examine the version changes listed below
as the package requirements and instructions can change to reflect a better
understanding of the problem domain. *DO NOT ASSUME THAT ANYTHING UNTIL AT
LEAST A 1.0.0 RELEASE*

WARNING: Read the warning above.

|===
|Version | Note

| *0.3.0*
a|
* Various tidy ups and script improvements
* Rename PRIVATE_KEY_FILE to PRIVATE_KEYFILE

| *0.2.0*
a|
* Don't include the entire `/etc/wireguard` directory, instead use a subdirectory, namely `/etc/wireguard/initcpio` to keep things separate.

| *0.1.0*
a|
* Initial Release

|===

== Rationale

Firstly, encryption. Encrypt all the things.

Secondly, I think https://www.wireguard.io[Wireguard] is pretty awesome. It's
really easy to setup and use and works flawlessly (at least for me 😄).

Thirdly, the ability to remotely unlock encrypted partitions is extremely
useful.  However, a limitation is that in order to remotely unlock the
partition via SSH, you normally need to be on the same network (or at least
routeable) to the computer that needs unlocking.

As far as I could tell, there was nothing available in
https://aur.archlinux.org[AUR] that provided a Wireguard hook for
`mkinitcpio`. Creating a hook should allow a basic Wireguard interface to be
established so that - via a secure network - you could gain access to the
remote machine. This is my small attempt to achieve that aim.

IMPORTANT: I developed this little hook for myself and I'm releasing it into
the general community in the (probably misguided) hope that others may find it
useful too. As usual, no warranty implied or otherwise is given towards the
fitness of this software in meeting *YOUR* needs. Please refer to the included
https://unlicense.org[Unlicense] license file for more information. That said,
I find this little hook useful - perhaps you may too - so please enjoy! Oh,
and please be be awesome to each other!

WARNING: Ensure you have read the Arch wiki section on
https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlocking_of_the_root_(or_other)_partition[remote
unlocking]. It's a *very* good idea to get remote unlocking working *first* on
your local network - proving that it works for you (this includes using either
*tinyssh* or *dropbear* to authenticate and unlock successfully)
- *before* attempting to setup this mkinitcpio Wireguard hook for remote
unlocking.

IMPORTANT: It is also *strongly* recommend that a *separate* Wireguard network
is setup and configured *just* for unlocking. You see, a private key (and a
public key) and a configuration file are written to the ramdisk (which
typically lives in an unencrypted boot partition). It's super trivially easy
for anyone to copy this ramdisk, extract out the contents and use the private
key and Wireguard configuration found therein to connect to your Wireguard
network. As a minimum, you could disable (on the remote peer *nominally called
the `server`*) the ability for the target machine (the `client` - the one on
which you are remotely unlocking partitions) to connect and authenticate -
only enabling connection *when* and *if* required. Please be careful and think
this through! Safety first!

== OS Installation

Standard installation rules apply. Here's an example using the
https://github.com/Jguer/yay[yay] package manager to install the utility.

`yay -S mkinitcpio-wireguard`

Please refer to your favourite package manager's documentation in learn how to
install it for you 😄

NOTE: Obviously, you must also install Wireguard! Choose either manual
installation (using git and compiling it yourself), or using `wireguard-arch`
or `wireguard-dkms`. Life is short, so personally I just roll with
`wireguard-arch`. Seems to work OOTB for me, but YMMV...

== Configuration

IMPORTANT: The setup and running of `mkinitcpio-wireguard` is *very* basic and
makes *lots* of assumptions. *This is intentional!* This hook is simple
because it is designed to get a minimal Wireguard up and running so that you
can remotely unlock encrypted partitions. The script does not attempt to do
anything else. This script will never be super fancy or clever.

WARNING: Please read and familiarise yourself with how Wireguard works. In
particular, please refer to the *numerous* examples online of how to setup and
configure Wireguard. It is *strongly* suggested you get Wireguard up and
running first. A few examples of where to find documentation are listed below:

* https://wiki.archlinux.org/index.php/WireGuard
* https://www.wireguard.com/quickstart/
* https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8

After installing `mkinitcpio-wireguard`, an example configuration file will be
written to `/etc/wireguard/initcpio/unlock`. You *MUST* edit this file to suit
your particular Wireguard requirements. The file is really simple and
therefore should be pretty self-explanatory.

NOTE: If you have an existing `wg0.conf` in your `/etc/wireguard` directory,
you can use the contents of that file as a reference. Please be aware of the
warning above concerning the recommended use of a separate network for remote
unlocking.

== Hook Installation

After you have edited the `/etc/wireguard/initcpio/unlock` file to suit your
needs, ensure that you've added the `wireguard` hook to the *HOOKS* array of
`/etc/mkinitcpio.conf`. Shown below is an example that also includes the use
of `netconf`, `tinyssh` and `encryptssh`.

----
HOOKS=(base udev autodetect keyboard keymap modconf block netconf wireguard tinyssh encryptssh filesystems fsck)
----

== Final Steps

Lastly, run (still as root):

----
mkinitcpio -P
----

This will regenerate the ramdisk with your Wireguard configuration.

You should now be able to reboot your machine and after the interface has come
up be able to ping it via your Wireguard network! You should now also be able
to SSH to the machine (you did remember to set that all up before doing this,
right?) and unlock any encrypted partitions and thus enable the continuation
of your boot process! FTW!

== Unlicensed

Find the full unlicense in the UNLICENSE file, but here's a snippet.
This is free and unencumbered software released into the public domain.

----
Anyone is free to copy, modify, publish, use, compile, sell, or distribute
this software, either in source code form or as a compiled binary, for any
purpose, commercial or non-commercial, and by any means.
----