diff --git a/README.md b/README.md new file mode 100644 index 0000000000000000000000000000000000000000..9a7f23122a8243c9badfbac46cea64d37c804b95 --- /dev/null +++ b/README.md @@ -0,0 +1,60 @@ +CryptOps-enabled Initrd +======================= + +This repository contains files that need to be added or changed in a "vanilla" +initrd in order to be able to use the +[CryptOps](https://code.greenhost.net/open/cryptops) toolkit to set up an +encrypted VPS. CryptOps is included as a subrepository, to be able to track the +changes to the API with the changes of this initrd. Use the `build.sh` script to +copy the CryptOps api and client binaries to the correct location in the initrd +before building it. + +More information can be found on the [documentation +website](https://cryptops.com) + +## VPS setup + +Some variables need to be passed to the initrd with kernel options. They are +retrieved from `/proc/cmdline`. [Here's the official +documentation.](https://github.com/torvalds/linux/blob/master/Documentation/filesystems/nfs/nfsroot.txt) + +- `root=/dev/mapper/xvda1_crypt`: The partition that needs to be mounted as root +- `cryptroot=/dev/xvda`: The device that needs to be partitioned and encrypted +- `ip=213.108.110.71::213.108.110.126:255.255.255.128:encrypted-system:eth0:off` + IP information: + `ip=::::::::` + +### Startup Notification + +Some extra variables are used in Greenhost's case to be able to use the Cosmos +Service Centre API to send a message to the owner of a VPS after it has been +restarted. These variables are used in /scripts/local-top/cryptroot-api to make +`$notification_command`. + +If you don't run on Greenhost infrastructure, change +that variable to something else to notify you of a (re)boot. + +If you do not have a notification_command, CryptOps will work fine, but when +your VPS reboots, you run the risk of not knowing this and your VPS will stay in +the initrd, waiting for you to unlock the disk. + +- `api_key=`: The *Bearer* authentication key for using the Cosmos API +- `instance_id=###`: The unique identifier of the VPS +- `cosmos_url=https://management.greenhost.nl`: The URL to the Cosmos API + +A VPS is assumed to have one drive that needs to be encrypted (additional drives +can be encrypted manually from the booted operating system). The drive will be +partitioned into an encrypted root partition (in this example `xvda1_crypt`) and +a not encrypted data partition. The latter is used to save SSH keys, so the user +can log into the SSH shell running in the initrd. + +## File structure + +The folder `crypt-initrd-extra-files` contains all the files that need to be +inserted in the root directory of an initrd to make CryptOps work. Some things +stand out: + +- The folder contains some symlinks pointing to a nonexistent directory + `conf/persistent/` (for example the `home_root` file). The persistent file + system is mounted in this directory by + `scripts/init-premount/mount_persistent_config`