starred/the-bastion

Fork 0

mirror of https://github.com/ovh/the-bastion.git synced 2026-05-09 16:35:33 +02:00

[GH-ISSUE #181] Unlock /home on boot #44

New issue

Closed

opened 2026-05-07 00:18:04 +02:00 by BreizhHardware · 3 comments

BreizhHardware commented

2026-05-07 00:18:04 +02:00

Owner

Originally created by @jlecour on GitHub (May 16, 2021).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/181

Hi,

I've just installed The Bastion on a fresh Debian 10.
The /opt/bastion/bin/admin/setup-encryption.sh script has helped me change my /home partition to an encrypted one, but at the end it says :

/opt/bastion/bin/admin/unlock-home.sh: line 5: /etc/bastion/luks-config.sh: No such file or directory
Not configured or badly configured (check /etc/bastion/luks-config.sh), nothing to do.
`-> [ OK ]

After a reboot, there is no passphrase prompted and obviously the partition is not mounted.

My partitions (/home is vdb1) :

NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sr0     11:0    1 1024M  0 rom  
vda    254:0    0   20G  0 disk 
|-vda1 254:1    0  476M  0 part /boot
|-vda2 254:2    0  954M  0 part /
|-vda3 254:3    0  5.6G  0 part /usr
|-vda4 254:4    0  477M  0 part [SWAP]
|-vda5 254:5    0  477M  0 part [SWAP]
|-vda6 254:6    0  954M  0 part /tmp
`-vda7 254:7    0 11.2G  0 part /var
vdb    254:16   0   10G  0 disk 
|-vdb1 254:17   0  4.7G  0 part 
`-vdb2 254:18   0  5.4G  0 part /opt

The relevant part of my fstab :

/dev/disk/by-id/dm-name-home /home ext4 defaults,errors=remount-ro,noauto,nosuid,noexec,nodev 0 0

Did I do something wrong?

Originally created by @jlecour on GitHub (May 16, 2021). Original GitHub issue: https://github.com/ovh/the-bastion/issues/181 Hi, I've just installed The Bastion on a fresh Debian 10. The `/opt/bastion/bin/admin/setup-encryption.sh` script has helped me change my /home partition to an encrypted one, but at the end it says : ``` /opt/bastion/bin/admin/unlock-home.sh: line 5: /etc/bastion/luks-config.sh: No such file or directory Not configured or badly configured (check /etc/bastion/luks-config.sh), nothing to do. `-> [ OK ] ``` After a reboot, there is no passphrase prompted and obviously the partition is not mounted. My partitions (/home is vdb1) : ``` NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sr0 11:0 1 1024M 0 rom vda 254:0 0 20G 0 disk |-vda1 254:1 0 476M 0 part /boot |-vda2 254:2 0 954M 0 part / |-vda3 254:3 0 5.6G 0 part /usr |-vda4 254:4 0 477M 0 part [SWAP] |-vda5 254:5 0 477M 0 part [SWAP] |-vda6 254:6 0 954M 0 part /tmp `-vda7 254:7 0 11.2G 0 part /var vdb 254:16 0 10G 0 disk |-vdb1 254:17 0 4.7G 0 part `-vdb2 254:18 0 5.4G 0 part /opt ``` The relevant part of my fstab : ``` /dev/disk/by-id/dm-name-home /home ext4 defaults,errors=remount-ro,noauto,nosuid,noexec,nodev 0 0 ``` Did I do something wrong?

BreizhHardware closed this issue

2026-05-07 00:18:04 +02:00

BreizhHardware commented

2026-05-07 00:18:05 +02:00

Author

Owner

@jlecour commented on GitHub (May 16, 2021):

I've found that /etc/bastion/luks-config.sh doesn't exist. The setup script does check if the directory exists.

I've created it manually with this content and it works :

DEV_ENCRYPTED=/dev/vdb1
DEV=/dev/disk/by-id/dm-name-home
UNLOCKED_NAME=home
MOUNTPOINT=/home

… but I still don't have a prompt at boot time to automatically mount /home.

@jlecour commented on GitHub (May 16, 2021): I've found that `/etc/bastion/luks-config.sh` doesn't exist. The setup script does check if the directory exists. I've created it manually with this content and it works : ``` DEV_ENCRYPTED=/dev/vdb1 DEV=/dev/disk/by-id/dm-name-home UNLOCKED_NAME=home MOUNTPOINT=/home ``` … but I still don't have a prompt at boot time to automatically mount /home.

BreizhHardware commented

2026-05-07 00:18:05 +02:00

Author

Owner

@speed47 commented on GitHub (May 19, 2021):

Hello,

The /etc/bastion/luks-config.sh is copied by the bin/admin/install script from the provided .dist file, then placeholders are filled by the encryption helper script (/opt/bastion/bin/admin/setup-encryption.sh) when you run it.
Did you launch the encryption script before running the general install script?

… but I still don't have a prompt at boot time to automatically mount /home.

If your machine/VM reboots, it completes the reboot successfully, and SSHd (and other services) are started, so that an admin can then SSH to the machine, and run the unlock script. Not blocking at the boot stage is part of the design, note however that, of course, no user will be able to connect to the bastion as all keys are in /home which is not mounted: only root will be able to log in. This way, you don't need console access to unlock your bastion, just plain good old SSH.

We do have monitoring in place so that the machine reports itselfs as locked and requiring admin intervention. This probe will be ported to NRPE and pushed to the repository at some point, but it's trivial to implement if you do have some kind of monitoring : you can just warn when /home is not mounted.

@speed47 commented on GitHub (May 19, 2021): Hello, The `/etc/bastion/luks-config.sh` is copied by the `bin/admin/install` script from the provided `.dist` file, then placeholders are filled by the encryption helper script (`/opt/bastion/bin/admin/setup-encryption.sh`) when you run it. Did you launch the encryption script before running the general install script? > … but I still don't have a prompt at boot time to automatically mount /home. If your machine/VM reboots, it completes the reboot successfully, and SSHd (and other services) are started, so that an admin can then SSH to the machine, and run the unlock script. Not blocking at the boot stage is part of the design, note however that, of course, no user will be able to connect to the bastion as all keys are in `/home` which is not mounted: only `root` will be able to log in. This way, you don't need console access to unlock your bastion, just plain good old SSH. We do have monitoring in place so that the machine reports itselfs as locked and requiring admin intervention. This probe will be ported to NRPE and pushed to the repository at some point, but it's trivial to implement if you do have some kind of monitoring : you can just warn when `/home` is not mounted.

BreizhHardware commented

2026-05-07 00:18:06 +02:00

Author

Owner

@jlecour commented on GitHub (May 21, 2021):

Hi Stéphane,

I've possibly run the setup-encryption.sh script before installing the bastion.
I wad about to suggest adding a check in the script, but I've seen that you've done that. Kudos.

Not blocking the boot for the passphrase makes sense. Having an NRPE check would be awesome. We are using Icinga2 in NRPE mode, so it would be perfect in our setup.

Thanks a lot for the help and for sharing this piece of software.

@jlecour commented on GitHub (May 21, 2021): Hi Stéphane, I've possibly run the setup-encryption.sh script before installing the bastion. I wad about to suggest adding a check in the script, but I've seen that you've done that. Kudos. Not blocking the boot for the passphrase makes sense. Having an NRPE check would be awesome. We are using Icinga2 in NRPE mode, so it would be perfect in our setup. Thanks a lot for the help and for sharing this piece of software.

BreizhHardware referenced this issue

2026-05-07 00:19:45 +02:00

[PR #44] [MERGED] allow adminSudo plugin to read from stdin #192