blob: cacf0f119cd55d852a464bd37302eb636f9b4af8 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
# This is an example configuration for the acquire-key-over-ssh module
# This is the interface the keyserver will be on. This script should
# wait until this interface is up before trying to connect to the keyserver.
keyserver_interface=eno2
# This is the host that contains the ssh server with the key.
keyserver_host=192.168.12.34
# The host's ssh port.
keyserver_port=22
# Username to ssh into.
keyserver_user=keyper
# Uncomment the following if the key is stored on a block device.
#
# This device will be mounted before the key is retrieved.
#
# client_ssh_keys_device='/dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
# The mountpoint to mount the ssh-key drive on (from above).
# Uncomment if using the above configuration for keys stored on a device.
# This is where the script will mount the block device to.
#
# client_ssh_keys_mountpoint="/mnt/boot/"
# The location of the identity file (after mounting).
# This defaults to /root/.ssh/id_rsa
#
# client_identity_file="/mnt/boot/ghost_key"
# Shred the keys after use. This is useful to minimize the time an unencrypted
# private key is on disk. Only really makes sense if the keys are on disk.
#
# One can set up a systemd service that places the identity key on the drive
# during a routine shutdown, where it will be picked up, used to acquire the
# decryption key, and shredded.
#
# Assuming the drive can be mounted, the script will always shred the keys
# if this is set even if authentication failed.
#
# shred_keys_after_use=1
add_dracutmodules+=" acquire-key-over-ssh "
|
