# This is an example configuration for the acquire-key-over-ssh module

# This is the interface the keyserver will be on. This script should
# wait until this interface is up before trying to connect to the keyserver.
keyserver_interface=eno2

# This is the host that contains the ssh server with the key.
keyserver_host=192.168.12.34

# The host's ssh port.
keyserver_port=22

# Username to ssh into.
keyserver_user=keyper

# Uncomment the following if the key is stored on a block device.
#
# This device will be mounted before the key is retrieved.
#
# client_ssh_keys_device='/dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

# The mountpoint to mount the ssh-key drive on (from above).
# Uncomment if using the above configuration for keys stored on a device.
# This is where the script will mount the block device to.
#
# client_ssh_keys_mountpoint="/mnt/boot/"

# The location of the identity file (after mounting).
# This defaults to /root/.ssh/id_rsa
#
# client_identity_file="/mnt/boot/ghost_key"

# Shred the keys after use. This is useful to minimize the time an unencrypted
# private key is on disk. Only really makes sense if the keys are on disk.
#
# One can set up a systemd service that places the identity key on the drive
# during a routine shutdown, where it will be picked up, used to acquire the
# decryption key, and shredded.
#
# Assuming the drive can be mounted, the script will always shred the keys
# if this is set even if authentication failed.
#
# shred_keys_after_use=1

add_dracutmodules+=" acquire-key-over-ssh "