Run the tailscale client in a Debian or Ubuntu initramfs, to provide access to the Linux system prior to unlocking an encrypted root filesystem. For instance, when combined with dropbear-initramfs, allows remote unlocking of an encrypted root filesystem from other systems in the tailnet.
Intended to be used with a tailscale ephemeral auth key to log into your tailnet. Assign an ACL tag to that auth key to lock down what access the pre-boot environment can have to the rest of the tailnet.
-
Requires tailscale already be installed
-
Install tailscale-initramfs package
# Add the repository
sudo mkdir -p --mode=0755 /usr/local/share/keyrings
curl -fsSL https://darkrain42.github.io/tailscale-initramfs/keyring.asc | sudo tee /usr/local/share/keyrings/tailscale-initramfs-keyring.asc >/dev/null
echo 'deb [signed-by=/usr/local/share/keyrings/tailscale-initramfs-keyring.asc] https://darkrain42.github.io/tailscale-initramfs/repo stable main' | sudo tee /etc/apt/sources.list.d/tailscale-initramfs.list >/dev/null
# Install tailscale-initramfs
sudo apt-get update && sudo apt-get install tailscale-initramfs-
Add authkey in /etc/tailscale/initramfs/config
-
Rebuild the initramfs
update-initramfs -c -k all-
uses the tailscale state/data from the normal Linux install. This means that the initramfs will show up as the existing device on the tailnet, but means the private key material is stored in the initramfs (which is commonly unencrypted).