[jbodhorn]

I've set up an encrypted root on my RPi and set up dropbear and have been able to unlock when connected to the network via ethernet/dhcp. My ip addresses are reserved in my router so even using dhcp I still get the same ip each boot.

I've set up mkinitcpio-netconf to give me network access over ethernet, but I don't see how to set it up for wifi. If I can't unlock over wifi I won't be able to complete my project which is nearly done, unlocking the encrypted root via wifi is my last step before being finished.

My whole project is supposed to be a RPi wireless security camera using motion/motioneye, something that can be placed out in the yard within range of wifi and record saving the recorded data to a remote server.

I've got the camera working and saving to my odroid-xu4 samba server, I've encrypted my root and gotten it to boot, and I've unlocked via wired network connection which does me no good in my yard where there is no ethernet...

If anyone can point me in the right direction I could really use the help, there isn't much current info on encrypted root that I could dig up and due to the lack of current info it took me quite a few attempts just to get the encrypted root to boot, unlocking over ethernet wasn't too bad but I can't find any info on how to unlock over wifi.

I'm assuming something like wpa_supplicant needs to come into play mkinitcpio-netconf uses systemd-networkd which I've been having issues getting connected to wifi. I've been using netctl where I can put the (hashed)wifi password into the netctl profile.

My whole point in encrypting the root was to keep my data private so things like our network passwords, addresses and logins for my samba server are kept safe. Since my boot isn't encrypted if the initrd contains something like wpa_supplicant so I can unlock over wifi, if someone were to steal my RPi cam they'd potentially be able to get our network password if they had any clue what they were looking at.

I've seen how low security most ip cams are, I'm doing my best to avoid as many security holes as possible

I found this: https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Remote_unlock_via_wifi_.28hooks:_build_your_own.29
and was able to unlock over wifi.

$this->bbcode_second_pass_quote('', '
')Remote unlock via wifi (hooks: build your own)
The net hook is normally used with an ethernet connection. In case you want to setup a computer with wireless only, and unlock it via wifi, you can create a custom hook to connect to a wifi network before the net hook is run.
Below example shows a setup using a usb wifi adapter, connecting to a wifi network protected with WPA2-PSK. In case you use for example WEP or another boot loader, you might need to change some things.

1. Modify: $this->bbcode_second_pass_code('', '/etc/mkinitcpio.conf')
Add the needed kernel module for your specific wifi adatper.
Include the $this->bbcode_second_pass_code('', 'wpa_passphrase') and $this->bbcode_second_pass_code('', 'wpa_supplicant') binaries.

Add a hook $this->bbcode_second_pass_code('', 'wifi') (or a name of your choice, this is the custom hook that will be created) before the $this->bbcode_second_pass_code('', 'net') hook.

$this->bbcode_second_pass_code('', '
MODULES="module"
BINARIES="wpa_passphrase wpa_supplicant"
HOOKS="base udev autodetect ... wifi net ... dropbear encryptssh ..."
')

2. Create the: $this->bbcode_second_pass_code('', 'wifi') hook in $this->bbcode_second_pass_code('', '/lib/initcpio/hooks/wifi')

$this->bbcode_second_pass_code('', '
run_hook ()
{
# sleep a couple of seconds so wlan0 is setup by kernel
sleep 5

# set wlan0 to up
ip link set wlan0 up

# assocciate with wifi network
# 1. save temp config file
wpa_passphrase "network ESSID" "pass phrase" > /tmp/wifi

# 2. assocciate
wpa_supplicant -B -D nl80211,wext -i wlan0 -c /tmp/wifi

# sleep a couple of seconds so that wpa_supplicant finishes connecting
sleep 5

# wlan0 should now be connected and ready to be assigned an ip by the net hook
}

run_cleanuphook ()
{
# kill wpa_supplicant running in the background
killall wpa_supplicant

# set wlan0 link down
ip link set wlan0 down

# wlan0 should now be fully disconnected from the wifi network
}
')

3. Create the hook installation file in $this->bbcode_second_pass_code('', '/lib/initcpio/install/wifi') :
$this->bbcode_second_pass_code('', '
build ()
{
add_runscript
}
help ()
{
cat<<HELPEOF
Enables wifi on boot, for dropbear ssh unlocking of disk.
HELPEOF
}
')

4. Add
$this->bbcode_second_pass_code('', 'ip=:::::wlan0:dhcp')
to the kernel parameters. https://wiki.archlinux.org/index.php/Kernel_parameters
Remove
$this->bbcode_second_pass_code('', 'ip=:::::eth0:dhcp')
so it does not conflict.

$this->bbcode_second_pass_quote('', ' ')here I edited my $this->bbcode_second_pass_code('', '/boot/cmdline.txt') here is what I have:
$this->bbcode_second_pass_code('', '
cryptdevice=/dev/mmcblk0p3:root root=/dev/mapper/root rw rootwait console=ttyAMA0,115200 console=tty1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_enable=0 kgdboc=ttyAMA0,115200 elevator=noop ip=:::::wlan0:dhcp
')