Add ability to acquire the key from a separate drive and shred the key when finished.

1 files changed, 45 insertions, 0 deletions

diff --git a/example.conf b/example.conf
new file mode 100644
index 0000000..cacf0f1
--- /dev/null
+++ b/example.conf
@@ -0,0 +1,45 @@
+# This is an example configuration for the acquire-key-over-ssh module
+
+# This is the interface the keyserver will be on. This script should
+# wait until this interface is up before trying to connect to the keyserver.
+keyserver_interface=eno2
+
+# This is the host that contains the ssh server with the key.
+keyserver_host=192.168.12.34
+
+# The host's ssh port.
+keyserver_port=22
+
+# Username to ssh into.
+keyserver_user=keyper
+
+# Uncomment the following if the key is stored on a block device.
+#
+# This device will be mounted before the key is retrieved.
+#
+# client_ssh_keys_device='/dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
+
+# The mountpoint to mount the ssh-key drive on (from above).
+# Uncomment if using the above configuration for keys stored on a device.
+# This is where the script will mount the block device to.
+#
+# client_ssh_keys_mountpoint="/mnt/boot/"
+
+# The location of the identity file (after mounting).
+# This defaults to /root/.ssh/id_rsa
+#
+# client_identity_file="/mnt/boot/ghost_key"
+
+# Shred the keys after use. This is useful to minimize the time an unencrypted
+# private key is on disk. Only really makes sense if the keys are on disk.
+#
+# One can set up a systemd service that places the identity key on the drive
+# during a routine shutdown, where it will be picked up, used to acquire the
+# decryption key, and shredded.
+#
+# Assuming the drive can be mounted, the script will always shred the keys
+# if this is set even if authentication failed.
+#
+# shred_keys_after_use=1
+
+add_dracutmodules+=" acquire-key-over-ssh "