====== Configuration d'un accès SSH à l'init du système pour pouvoir déchiffrer les partitions à distance ====== Installation de dropbear sudo apt install dropbear Ajout au fichier config de dropbear: sudo nano /etc/dropbear-initramfs/config DROPBEAR_OPTIONS="-j -k -p -s -c cryptroot-unlock" est à remplacer par numéro de port ssh DIFFÉRENT du port ssh défini pour se connecter ensuite au système Créer une clé SSH SUR VOTRE ORDI PERSO : ssh-keygen -t ed25519 -C "your_email@example.com" METTRE UNE PASSPHRASE ROBUSTE Envoi de la clé sur le serveur : ssh-copy-id -i /home//.ssh/id_ed25519.pub {-p } @ Copie de la clé SSH de l'utilisateur vers dropbear : sudo cp /home//.ssh/authorized_keys /etc/dropbear-initramfs/ Ajouter "wireguard" dans /etc/initramfs-tools/modules : sudo nano /etc/initramfs-tools/modules # List of modules that you want to include in your initramfs. # They will be loaded at boot time in the order below. # # Syntax: module_name [args ...] # # You must run update-initramfs(8) to effect this change. # # Examples: # # raid1 # sd_mod wireguard Créer les fichiers suivants : sudo nano /etc/initramfs-tools/scripts/init-bottom/wg-down #!/bin/sh # /etc/initramfs-tools/scripts/init-bottom/wg-down PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac ip link delete wg0 sudo nano /etc/initramfs-tools/scripts/init-premount/wg-up #!/bin/sh # /etc/initramfs-tools/scripts/init-premount/wg-up PREREQ="udev" prereqs() { echo "$PREREQ" } case "$1" in prereqs) prereqs exit 0 ;; esac . /scripts/functions log_begin_msg "Configuring wg" setup_wg() { configure_networking CONFIG="/etc/wireguard/wg0.conf" echo "Create interface" ip link add dev wg0 type wireguard echo "Stripping config" grep -v "^\s*#\?\s*Address\s*=.*" $CONFIG > $CONFIG.strip echo "Configure interface" wg setconf wg0 $CONFIG.strip echo "Upping interface" ip link set dev wg0 up for I in $(grep "^.*#\?\s*Address\s*=\s*..*" $CONFIG | cut -d "=" -f2 | tr -d ',') do echo "Add address $I to interface wg0" ip address add $I dev wg0 done host="$(wg show wg0 endpoints | sed -n 's/.*\t\(.*\):.*/\1/p')" ip route add $(ip route get $host | sed '/ via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/{s/^\(.* via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*/\1/}' | head -n 1) 2>/dev/null || true ip route add 0/1 dev wg0 ip route add 128/1 dev wg0 } setup_wg sleep 10 && ping -c 1 1.1.1.1 sudo nano /etc/initramfs-tools/hooks/wg #!/bin/bash # /etc/initramfs-tools/hooks/wg set -e PREREQ="" prereqs() { echo "${PREREQ}" } case "${1}" in prereqs) prereqs exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions copy_exec /usr/bin/wg copy_file config /etc/initramfs-tools/wg0.conf /etc/wireguard/wg0.conf sudo nano /etc/initramfs-tools/wg0.conf # /etc/initramfs-tools/wg0.conf& [Interface] #Address = 80.67.xxx.xxx/32 PrivateKey = … [Peer] PublicKey = … AllowedIPs = 0.0.0.0/0 Endpoint = 80.67.xxx.xxx:xxxxx PersistentKeepalive = 25 Rendre les fichiers exécutables : sudo chmod +x /etc/initramfs-tools/scripts/init-bottom/wg-down sudo chmod +x /etc/initramfs-tools/scripts/init-premount/wg-up sudo chmod +x /etc/initramfs-tools/hooks/wg Recharger initramfs et grub : sudo update-initramfs -u -v sudo update-grub Pour se connecter après redémarrage : ssh -i -p root@