Run the tailscale client in a Debian or Ubuntu initramfs, to provide access to the Linux system prior to unlocking an encrypted root filesystem.
-
Requires tailscale already be installed
-
Install tailscale-initramfs package
# Add the repository
sudo mkdir -p --mode=0755 /usr/local/share/keyrings
curl -fsSL https://lugoues.github.io/tailscale-initramfs/public.key | sudo tee /usr/local/share/keyrings/tailscale-initramfs-keyring.asc >/dev/null
echo 'deb [signed-by=/usr/local/share/keyrings/tailscale-initramfs-keyring.asc] https://lugoues.github.io/tailscale-initramfs/repo stable main' | sudo tee /etc/apt/sources.list.d/tailscale-initramfs.list >/dev/null
# Install tailscale-initramfs
sudo apt-get update && sudo apt-get install tailscale-initramfs
Run setup-initramfs-tailscale
and follow the instructions. It will register a tailscale node with a hostname derived from the host system,
let say the host is named homeserver
, the tailscale node will be registered as homeserver-initrd
; that makes it easier to later identify the node in Tailscale panel.
The Tailscale daemon can run a builtin SSH server, if enabled, installing dropbear or tinyssh isn't required to access the node remotely.
To enable it pass --ssh
option like in: setup-initramfs-tailscale --ssh
The main difference of the builtin SSH server to something like dropbear or tinyssh is that the former is only accessible over the tailnet, the node won't respond to local connections unless the client is also connected to the tailscale network.
The Tailscale node key will be stored in plain text inside the initramfs. Even if the root filesystem is encrypted, remember that the initramfs isn't. Someone with physical access to the node could steal the tailscale keys and attempt to log into the tailscale network impersonating the node the keys were created for.
To minimize the attack surface, we can limit the initramfs tailscale node to only accept incoming connections by addding the following Tailscale ACL and tag clients, servers and initrd nodes accordinglly using the Tailscale Machines panel.
{
"tagOwners": {
"tag:initrd": ["autogroup:admin"],
"tag:client": ["autogroup:admin"],
"tag:server": ["autogroup:admin"],
},
"acls": [
{"action": "accept", "src": ["tag:client"], "dst": ["*:*"]},
{"action": "accept", "src": ["tag:server"], "dst": ["tag:server:*"]},
],
}
Even if the attacker manages to get the node keys, it won't be able to escalate into your tailscale network and all other nodes will be unreacheable.
- @darkrain42 for creating tailscale-initramfs, the basis for this entire thing
- @dangra for the foundation of the
setup-initrdfs-init
script he created for mkinitcpio-tailscale