This post will explain how to set up IPv6 connectivity via a initramfs script to remotely unlock your root partition on a server which uses a technology stack of dropbear (to be included in the intramfs) and cryptsetup via IPv6 and IPv6 only. Unlocking your root partition with this workflow is less secure than using the out-of-band management if you consider unattended hardware access of an attacker to your device as probable.
/etc/dropbear-initramfs to /etc/dropbear/initramfs and Thorsten Glaser inspired me to
use his scripts for creating a repo
initramfs-ipv6. I'm currently working on
using a lacp bond for unlocking, stay tuned.I am assuming you are successfully using dropbear to remotely unlock your root partition using cryptsetup via legacy-ip (IPv4).
Starting with version 2020.79, dropbear supports ed25519 host and authorized keys. You may then also consider removing the rsa and ecdsa host keys, leaving only ed25519:
rm /etc/dropbear/initramfs/dropbear_ecdsa_host_key rm /etc/dropbear/initramfs/dropbear_rsa_host_key update-initramfs -k all -u
Attention: use only dropbearkey for creating host keypairs for dropbear.
For the initramfs-configure-ipv6-script you need to know
# cat /etc/initramfs-tools/scripts/local-top/ipv6 #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac ip addr add 2001:db8::/64 dev eth0 ip route add default via fe80::1 dev eth0
Make it executable chmod +x /etc/initramfs-tools/scripts/local-top/ipv6 and regenerate the
initramfs for all of your installed kernels update-initramfs -u -k all.
Set /etc/initramfs-tools/initramfs.conf to
DEVICE=eth0 IP=:::::eth0:off
and configure IPv6 as described above.
Sometimes, it is actually possible to use the "network address" of an IPv4 network as regular
address. Let us look at 192.168.42.128/29 as an example. Five IP addresses can be used
within /29 network: The gateway usually sits at address .129, use .130-.134, and .135
is broadcast. In this scenario, try using the .128. It might just work :)