This repository is a suite of reusable Tinkerbell Actions that are used to compose Tinkerbell Workflows.

The official Image Builder project does not support LUKS encryption for Ubuntu raw disk images by default. This is a critical limitation when provisioning secure, encrypted bare metal systems in cloud-native environments like Tinkerbell.

Additionally, Tinkerbell's official actions like writefile do not support writing into LUKS-encrypted root partitions, which means injecting configuration (e.g. cloud-init, SSH keys, Netplan) fails unless the volume is manually decrypted and mounted beforehand.

To address this, we developed two components:

A standalone Bash script to convert an unencrypted Ubuntu 22.04+ raw disk image into a LUKS2-encrypted image with:

• ✅ Encrypted root partition (/) using LUKS2
• ✅ Unencrypted EFI and /boot partitions
• ✅ Keyfile (/boot/root_crypt.key) stored in /boot and backed up to local disk
• ✅ GRUB, initramfs, fstab, and crypttab updates in a chrooted environment
• ✅ Root partition auto-resized (+2GB by default)
• ✅ Full debug logging and safe error handling

Note: The /boot partition contains the unlock key. Use TPM2, SecureBoot, or other physical security measures to protect it.

A custom writefile action for Tinkerbell that:

• ✅ Unlocks the LUKS-encrypted root partition using /boot/root_crypt.key
• ✅ Mounts the decrypted volume at /mnt/root
• ✅ Writes arbitrary files (e.g., cloud-init, netplan, authorized_keys) into the mounted filesystem
• ✅ Drop-in replacement for the original writefile action

This toolchain is especially useful for provisioning encrypted Ubuntu nodes with EKS Anywhere using Tinkerbell workflows.

You can:

1. Stream a LUKS-encrypted Ubuntu image
2. Unlock the root partition via keyfile in /boot
3. Inject configuration (cloud-init, kubeadm, etc.)
4. Reboot into a secure, Kubernetes-ready node

tasks:
  - name: install-encrypted-ubuntu
    worker: '{{.device_1}}'
    actions:
      - name: image2disk
        image: quay.io/tinkerbell-actions/image2disk
        ...
      - name: unlock-and-configure
        image: quay.io/ssahani/writefile
        ...
      - name: reboot
        image: public.ecr.aws/tinkerbell-actions/reboot

Here’s a concise GitHub-style README.md summary for your project:

⸻

A Go-based tool to unlock a LUKS-encrypted root partition, mount boot/root filesystems, and run user-defined commands inside a chrooted Linux environment. Ideal for provisioning, recovery, or cloud-init-like workflows.

• Unlocks LUKS root partition using a keyfile
• Mounts boot and root partitions
• Sets up a minimal chroot with /dev, /proc, /sys, /dev/pts
• Runs commands via configurable interpreter (e.g., /bin/sh, /bin/bash)
• Supports non-root execution using sudo
• Optional DNS (resolv.conf) support inside chroot

sudo BLOCK_DEVICE=/dev/sda3 \
     BOOT_DISK=/dev/sda2 \
     CMD_LINE="apt-get update; apt-get install -y nginx" \
     CHROOT=y \
     UPDATE_RESOLV_CONF=true \
     ./chroot-luks-runner

📦 Environment Variables

Variable	Description	Default
BLOCK_DEVICE	LUKS-encrypted root device path	/dev/sda3
BOOT_DISK	Unencrypted boot device path	/dev/sda2
FS_TYPE	Filesystem type for root	ext4
BOOT_FS_TYPE	Filesystem type for boot	ext4
CMD_LINE	;-separated commands to run inside chroot	(required)
CHROOT	Set to y to enable chroot execution	n
DEFAULT_INTERPRETER	Shell interpreter to run commands	/bin/sh -c
UPDATE_RESOLV_CONF	Copy DNS config to chroot	false
DEBIAN_FRONTEND	Set Debian frontend mode	noninteractive