15 Jan 2022 - by 'Maurits van der Schee'
I feel that using full disk encryption of servers is a must. Not to protect against attacks with physical access (to the unencrypted boot loader or unprotected BIOS), but to avoid leaking data when a disk or computer is either stolen or replaced. But what do you do when you need to reboot your server and have no console access to enter the passphrase? This post will explain how to run a simple SSH server during the boot process to allow remote unlocking of the encrypted root partition.
Install the "dropbear" SSH server into the initial ram file system with:
sudo apt install dropbear-initramfs
You are expected to see the message:
dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!
You now need to add your public key to the initramfs:
sudo nano /etc/dropbear-initramfs/authorized_keys
Also edit "/etc/dropbear-initramfs/config" using
sudo nano /etc/dropbear-initramfs/config
And change "DROPBEAR_OPTIONS" to:
DROPBEAR_OPTIONS="-I 300 -j -k -p 2222 -s"
Which sets the disconnect timeout to 300 seconds, disables local and remote port forwarding, sets the listening port to 2222 and disables password logins.
Unless you use DHCP you need to change "/etc/initramfs-tools/initramfs.conf" to set your IP configuration, change "IP" to:
This will set your IP address to 10.0.0.10, your gateway to 10.0.0.1, your netmask to 255.255.255.0 and your hostname to "bastion".
Save the altered files and in order to rebuild the initial ram file system use the following command:
sudo update-initramfs -u
This will take several seconds on a fast machine.
Since we have the SSH server listening on port 2222 you need to forward port 2222 to the server (if you want to unlock over the Internet). You need to connect from to your server (during the unlocking phase) using the following command:
ssh firstname.lastname@example.org -p 2222
You may want to replace 10.0.0.10 with your public IP address or hostname. After connecting run:
This will allow you to enter a passphrase to unlock your root partition and continue the boot process.
When using LUKS you need an unencrypted partition (boot partition) to read the initial ram file system (initrd) and kernel image (vmlinuz) from. This will show the screen in which a passphrase for decryption of the encrypted disk is asked. This two-staged boot process can be altered to do other things as well. In today's post I have shown how to add a simple SSH server and in another post I will show how to scan USB drives for a keyfile.
In security the exercise of trying to identify security risks and rank them based on their damage and likeliness is called "threat modelling". In many situations with on-premise servers a large risk with considerable damage is hardware theft. Full disk encryption will protect you against leaking data in this relative likely event, reducing the damages considerably.