This very short post describes how to unlock Debian Bullseye with natively encrypted ZFS-on-Root. I'm assuming dropbear is installed and configured. No special configuration option is required.
Connect to the dropbear server and issue
zfsunlock
TIL the hard way how to configure grub to automatically install bootcode on all drives. Bootcode needs to be present on at least one drive. During package and operating system upgrades, the process of installing/updating bootcode is crucial if you expect the next system boot to be successful.
For software RAID configurations, such as mdadm or zfs, the bootcode must be installed on
all 'boot' drives (i.e. drives which contain your / or /boot file systems) to avoid boot
failures because
Grub provides a way to install bootcode manually. This method is well known and used in most tutorials as well as during Debian system installation:
grub-install /dev/sda grub-install /dev/sdb
but there is also a way of performing the task automatically (at least on Debian):
dpkg-reconfigure grub-pc
By interactively selecting all boot disks, you lower your chances of boot failure, however, we need to make sure to run the either one of the commands after replacing a disk.
In 2017, I had discovered Warren Zevon and am listening to his music ever since. In fact, I had Frank and Jesse James transcribed as piano sheet music by mysheetmusictranscriptions.com. MySheetMusicTranscriptions granted me permission to share it within a small community for private (non-commercial) use only.
Have you ever used ps aux | grep ... on GNU/Linux to grep for a running process? Have you
also used ps aux to view the whole process list on your terminal? At first glance, the two
commands behave exactly the same, however ps will truncate every line to fit within your
terminal's witdh of echo $COLUMNS (see the man page ps(1)). If you want wide output
(132 columns), specify another w e.g. ps auxw. If you want unlimited output, specify yet
another w e.g. ps auxww.
This post will explain how to set up IPv6 connectivity via a initramfs script to remotely unlock your root partition on a server which uses a technology stack of dropbear (to be included in the intramfs) and cryptsetup via IPv6 and IPv6 only. Unlocking your root partition with this workflow is less secure than using the out-of-band management if you consider unattended hardware access of an attacker to your device as probable.
/etc/dropbear-initramfs to /etc/dropbear/initramfs and Thorsten Glaser inspired me to
use his scripts for creating a repo
initramfs-ipv6. I'm currently working on
using a lacp bond for unlocking, stay tuned.I am assuming you are successfully using dropbear to remotely unlock your root partition using cryptsetup via legacy-ip (IPv4).
Accessing the internet through an always-on VPN full tunnel could be considered standard user behaviour these days. Things start to get annoying when the network (provider) limits VPN usage. For me, the most prominent case was an Eduroam wifi at a german university which grants only the absolute minimum of network access to its users, as required by the Eduroam specification. Here's the full list of mandatory (as in RFC MUST) unblocked ports (see page 32):
You are using linux with an IPv6 unique local address (ULA) but no IPv6 unicast address
assigned to the interface but use them e.g. in a VPN context to provide IPv6 unicast
connectivity through NAT. The same interface is also set up as the default route. This causes
the default configuration of getaddrinfo(3) with ai_flags set to include AI_ADDRCONFIG
to prefer IPv4 because missing IPv6 connectivity is assumed.