====== Kigen ======

===== Overview =====
[[https://github.com/r1k0/kigen|Kigen]] is a useful tool that can generate initramfs with dropbear and LUKS support for remotely decrypting a root filesystem for a fully encrypted host. A few tweaks are needed to make this fully work under Sabayon.

I opted to keep the Sabayon kernels rather than building custom ones, but the initramfs will still need to be rebuilt for any kernel upgrades.

===== Installation =====
Install kigen from portage, or from your local community repository.

===== Configuration =====
{{File|/etc/kigen/initramfs/default.conf|''0@@''}}

===== Building the initramfs =====
{{Root|<code bash>
kigen i --rootpasswd=changgeme
</code>}}

===== Tweaks =====
First, extract the initramfs so we can make changes to it.
{{Root|<code bash>
kigen t --extract=/boot/initramfs-foo
</code>}}
{{Note|''1@@''}}

The dropbox provided by Sabayon is linked to some libraries in /usr/lib which don't get picked up by kigen's initramfs. Copy these into the initramfs manually.
{{Root|<code bash>
mkdir /var/tmp/kigen/extracted-initramfs/usr/lib
cp /usr/lib/libtom{math,crypt}.so.0 /var/tmp/kigen/extracted-initramfs/usr/lib/
</code>}}}

Dropbear also needs some keys created, which won't get done automatically.
{{Root|<code bash>
mkdir /var/tmp/kigen/extracted-initramfs/etc/dropbear
dropbearkey -t dss -f /var/tmp/kigen/extracted-initramfs/etc/dropbear/dropbear_host_dss_key
dropbearkey -t rsa -f /var/tmp/kigen/extracted-initramfs/etc/dropbear/dropbear_host_rsa_key
</code>}}

Rebuild the initramfs with the new changes
{{Root|<code bash>
kigen t --compress=/var/tmp/kigen/extracted-initramfs/ --into=/boot/initramfs-foo
</code>}}

===== Usage =====
The kernel line in grub needs to be amended with the networking and dropbear instructions. Append the following to the defaults in ''/etc/default/grub'' or ''/etc/default-sabayon-grub''>

''2@@''

Update the initrd line as well if necessary.

Finally, reboot, and try SSHing into the host. Run the following command when prompted, to unlock the root filesystem and continue the boot process.

{{Root|<code bash>
  - Replace /dev/sda4 below with the encrypted root partition
./root-luks.sh /dev/sda4
</code>}}