v0.5

Changes since v0.4:

• usbmuxd module's default value for TryiPhoneUSB flipped to 1 for the module to try whenever a phone is available.
• Wifi module now supports a list of networks separated by a space with ssid and psk combos delimited by a colon.
• Wifi module broadened support for other iwlwifi-powered chipsets
• New module 21_ssh for last-resort secure remote access via either a random string or initramfs pre-baked operator user ssh-key addition.
• Various improvements to hooks for clean output among other small tidy-ups.

v0.4 small fixes & a new "last resort" SSH module.

• Added a module as 21_ssh, can read the authorized_keys field of users to be added at boot time for trusted access to enter the passphrase if every other step fails, otherwise, the host prints a temporary root ssh passphrase on the screen and holds the ssh server open for 5 minutes. SSHing in simply displays the same passphrase prompt. Upon entering a successful passphrase it'll boot you out and within a minute the host will finish its boot.

• Made the main hook of this project NOT run extra modules if the root is already unlocked, which plays well into the above module not opening the door unless absolutely required.

• Added a zfs module checker to the main hook for strange scenarios I encountered where the zfs module wouldn't load on certain hardware configurations, and in qemu sometimes. It will try over the course of a minute before bombing out. I've seen this happen when booting from say... a USB stick, but not qemu. So here it is.

I think that's it 🙂

v0.3 - Various cleanup and a new module

Noteworthy things since v0.2:

• Overall general tidy-ups
• Hook now includes /usr/lib/udev/rules.d so interface renaming can happen in these early boot stages where you have the udev hook before the zfsUnlocker hook. (I'd rather the pretty int names like wlp0s20f3 over wlan0 without reprobing iwlwifi)
• 20_vault module
• • Improved response codes for the vault module. If something goes wrong it tries its best to communicate where the problem is, whether it be an expired token, token permissions problem or just plain DNS.
• • Vault module will set /proc/cmdline's permissions to 440 if you use kernel boot arguments to specify your vault token and host.
• 10_iphone module
• • Great for helping a laptop reach your vault server on the go without broadcasting your phone's hotspot or modifying the 10_wifi module's SSID+PSK while out of office.
• • If an iOS device is detected over USB your host can try tethering with it for internet access.
• • You can either have your iOS device Trust the host on the fly or use idevicepair pair on your host before your next mkinitcpio run to store that trust for boot time. But I've found if you're quick enough you can get through the iOS Trust prompt before the 15_dhcp module kicks in.

v0.2 - more features, better debugging

Been a while since I made another tag for this little project.

Major changes since 0.1 include:

• Colored output for installation warnings
• Repeated installs of same commit won't wipe /etc/zfsUnlocker/zfsUnlocker.conf.
  • Config file replacement only happens on commit mismatch with conf file (Potentially implied update)
  • A backup of the file gets made with a colorful warning.
• Moved 10_dhcp hook to 15_dhcp:
  • Added optional forceInterface=xx config variable for 15_dhcp on systems with multiple interfaces where one may get an IP quicker, but may
    not have access to an expected remote resource compared to another link which may also get an IP.
  • Added e1000e network card support alongside r8169.
  • May make this hook dynamically enumerate pci devices instead in the near future.
• Created 10_wifi hook:
  • Dynamically adds relevant drivers to initramfs for WiFi unlocking on next boot.
  • Tested working with the Intel AX200 and AX201 (Both use the iwlwifi driver).
  • Ideal for laptop scenarios
  • Currently for PCIe only, usb dongle support in progress.
  • Client Certificate support in progress (revocable AP access sounds like a good idea)
• Added 'test' functions to most hooks so they can be run locally outside of initramfs for an idea of what they would do inside.
• Changes to 20_vault:
  • Optional kernel arguments VAULTHOSTOVERRIDE and VAULTTOKENOVERRIDE added for easier vault host and client token changes without initramfs regeneration.
  • vaultHost and vaultToken variables now be empty by default without example values in zfsUnlocker.conf.
  • Huge improvements with sanity checking before trying to read an actual vault secret. Very useful output on failure compared to initial stages.
  • Test function added so a reboot 'leap of faith' isn't required to test whether it'll likely work or not. See below for example test output

Example 20_vault test output:

[me@desktop ~]# /etc/zfsUnlocker/modules.d/20_vault/hook test myZpool/root
Entering test mode.
		Accessing vault [vault.mydomain.com] successful, TOKEN IS VALID.
		Attempting unlock of: myZpool/root
		49 char length passphrase successfully found for myZpool/root

v0.1 / The beginning

A release tag for the first working version of this mkinitcpio hook/script.

The start of the public rewrite and in use on my own Arch desktop.