From 9eb3d6d8b8f4bab8758d3e11aed198e58002c8ac Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Wed, 8 Nov 2017 12:27:13 +0100 Subject: [PATCH 1/5] first README version --- README.md | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..62b84e3 --- /dev/null +++ b/README.md @@ -0,0 +1,56 @@ +CryptOps-enabled Initrd +======================= + +This repository contains files that need to be added or changed in a "vanilla" +initrd in order to be able to use the +[CryptOps](https://code.greenhost.net/open/cryptops) toolkit to set up an +encrypted VPS. + +More information can be found on the [documentation +website](https://cryptops.com) + +## VPS setup + +Some variables need to be passed to the initrd with kernel options. They are +retrieved from `/proc/cmdline`. + +- `root=/dev/mapper/xvda1_crypt`: The partition that needs to be mounted as root +- `cryptroot=/dev/xvda`: The device that needs to be partitioned and encrypted +- `ip=213.108.110.71::213.108.110.126:255.255.255.128:encrypted-system:eth0:off` + IP information ( + `::::::`) + +### Startup Notification + +Some extra variables are used in Greenhost's case to be able to use the API to +send a message to the owner of a VPS after it has been restarted. These +variables are used in /scripts/local-top/cryptroot-api to make +`$notification_command`. + +If you don't run on Greenhost infrastructure, change +that variable to something else to notify you of a (re)boot. + +If you do not have a notification_command, CryptOps will work fine, but when +your VPS reboots, you run the risk of not knowing this and your VPS will stay in +the initrd, waiting for you to unlock the disk. + +- `api_key=`: The *Bearer* authentication key for using the API +- `instance_id=###`: The unique identifier of the VPS +- `cosmos_url=https://management.greenhost.nl`: The URL to the API + +A VPS is assumed to have one drive that needs to be encrypted (additional drives +can be encrypted manually from the booted operating system). The drive will be +partitioned into an encrypted root partition (in this example `xvda1_crypt`) and +a not encrypted data partition. The latter is used to save SSH keys, so the user +can log into the SSH shell running in the initrd. + +## File structure + +The folder `crypt-initrd-extra-files` contains all the files that need to be +inserted in the root directory of an initrd to make CryptOps work. Some things +stand out: + +- The folder contains some symlinks pointing to a nonexistent directory + `conf/persistent/` (for example the `home_root` file). The persistent file + system is mounted in this directory by + `scripts/init-premount/mount_persistent_config` -- GitLab From d362c5c6e8c46c27f722783971bdb3f88adc2957 Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Wed, 8 Nov 2017 13:53:44 +0100 Subject: [PATCH 2/5] point to nfsroot documentation and explain ip parameter --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 62b84e3..fdc419f 100644 --- a/README.md +++ b/README.md @@ -12,13 +12,14 @@ website](https://cryptops.com) ## VPS setup Some variables need to be passed to the initrd with kernel options. They are -retrieved from `/proc/cmdline`. +retrieved from `/proc/cmdline`. [Here's the official +documentation.](https://github.com/torvalds/linux/blob/master/Documentation/filesystems/nfs/nfsroot.txt) - `root=/dev/mapper/xvda1_crypt`: The partition that needs to be mounted as root - `cryptroot=/dev/xvda`: The device that needs to be partitioned and encrypted - `ip=213.108.110.71::213.108.110.126:255.255.255.128:encrypted-system:eth0:off` - IP information ( - `::::::`) + IP information: + `ip=::::::::` ### Startup Notification -- GitLab From d29973a499926f38ac5329e0cc6a2e97a74ee50b Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Wed, 8 Nov 2017 14:01:45 +0100 Subject: [PATCH 3/5] clarify reference to API --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index fdc419f..11679f3 100644 --- a/README.md +++ b/README.md @@ -23,9 +23,9 @@ documentation.](https://github.com/torvalds/linux/blob/master/Documentation/file ### Startup Notification -Some extra variables are used in Greenhost's case to be able to use the API to -send a message to the owner of a VPS after it has been restarted. These -variables are used in /scripts/local-top/cryptroot-api to make +Some extra variables are used in Greenhost's case to be able to use the Cosmos +Service Centre API to send a message to the owner of a VPS after it has been +restarted. These variables are used in /scripts/local-top/cryptroot-api to make `$notification_command`. If you don't run on Greenhost infrastructure, change @@ -35,9 +35,9 @@ If you do not have a notification_command, CryptOps will work fine, but when your VPS reboots, you run the risk of not knowing this and your VPS will stay in the initrd, waiting for you to unlock the disk. -- `api_key=`: The *Bearer* authentication key for using the API +- `api_key=`: The *Bearer* authentication key for using the Cosmos API - `instance_id=###`: The unique identifier of the VPS -- `cosmos_url=https://management.greenhost.nl`: The URL to the API +- `cosmos_url=https://management.greenhost.nl`: The URL to the Cosmos API A VPS is assumed to have one drive that needs to be encrypted (additional drives can be encrypted manually from the booted operating system). The drive will be -- GitLab From 794cac12f69f8427682a61d39f9b5698b1bf51ee Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Wed, 8 Nov 2017 15:28:14 +0100 Subject: [PATCH 4/5] say something about CryptOps api and client and build.sh --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 11679f3..8eb0ebc 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,10 @@ CryptOps-enabled Initrd This repository contains files that need to be added or changed in a "vanilla" initrd in order to be able to use the [CryptOps](https://code.greenhost.net/open/cryptops) toolkit to set up an -encrypted VPS. +encrypted VPS. CryptOps is included as a subrepository, to be able to track the +changes op the API wit the changes of this initrd. Use the `build.sh` script to +copy the CryptOps api and client binaries to the correct location in the initrd +before building it. More information can be found on the [documentation website](https://cryptops.com) -- GitLab From e7d85e514a7a071c270665ee9b539723f9aa10db Mon Sep 17 00:00:00 2001 From: Arie Peterson Date: Wed, 8 Nov 2017 15:54:47 +0100 Subject: [PATCH 5/5] Fix typos in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8eb0ebc..9a7f231 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ This repository contains files that need to be added or changed in a "vanilla" initrd in order to be able to use the [CryptOps](https://code.greenhost.net/open/cryptops) toolkit to set up an encrypted VPS. CryptOps is included as a subrepository, to be able to track the -changes op the API wit the changes of this initrd. Use the `build.sh` script to +changes to the API with the changes of this initrd. Use the `build.sh` script to copy the CryptOps api and client binaries to the correct location in the initrd before building it. -- GitLab