Run the tailscale client in a Debian or Ubuntu initramfs, to provide access to the Linux system prior to unlocking an encrypted root filesystem. When combined with tailscale ssh or dropbear-initramfs, allows remote unlocking of an encrypted root filesystem from other systems in the tailnet.
Intended to be used with a tailscale ephemeral auth key to log into your tailnet. Assign an ACL tag to that auth key to lock down what access the pre-boot environment can have to the rest of the tailnet, i.e. to disallow all outbound access from the initramfs, and only permit inbound connections.
-
Requires tailscale already be installed
-
Install tailscale-initramfs package
# Add the repository
sudo mkdir -p --mode=0755 /usr/local/share/keyrings
curl -fsSL https://darkrain42.github.io/tailscale-initramfs/keyring.asc | sudo tee /usr/local/share/keyrings/tailscale-initramfs-keyring.asc >/dev/null
echo 'deb [signed-by=/usr/local/share/keyrings/tailscale-initramfs-keyring.asc] https://darkrain42.github.io/tailscale-initramfs/repo stable main' | sudo tee /etc/apt/sources.list.d/tailscale-initramfs.list >/dev/null
# Install tailscale-initramfs
sudo apt-get update && sudo apt-get install tailscale-initramfs-
Add authkey in /etc/tailscale/initramfs/config
-
Rebuild the initramfs
update-initramfs -c -k all-
uses the tailscale state/data from the normal Linux install. This means that the initramfs will show up as the existing device on the tailnet, but means the private key material is stored in the initramfs (which is commonly unencrypted).
-
tailscale-initramfs by Lugoues
Similar to this package, but registers the initrd as a tailscale device when you configure the package. The initrd device will be present in the tailnet all the time.