TQ
dev.com

Blog about software development

Subscribe

LUKS with SSH unlock

15 Jan 2022 - by 'Maurits van der Schee'

I feel that using full disk encryption of servers is a must. Not to protect against attacks with physical access (to the unencrypted boot loader or unprotected BIOS), but to avoid leaking data when a disk or computer is either stolen or replaced. But what do you do when you need to reboot your server and have no console access to enter the passphrase? This post will explain how to run a simple SSH server during the boot process to allow remote unlocking of the encrypted root partition.

Installing and configuring the SSH server

Install the "dropbear" SSH server into the initial ram file system with:

sudo apt install dropbear-initramfs

You are expected to see the message:

dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!

You now need to add your public key to the initramfs:

sudo nano /etc/dropbear-initramfs/authorized_keys

Also edit "/etc/dropbear-initramfs/config" using

sudo nano /etc/dropbear-initramfs/config

And change "DROPBEAR_OPTIONS" to:

DROPBEAR_OPTIONS="-I 300 -j -k -p 2222 -s"

Which sets the disconnect timeout to 300 seconds, disables local and remote port forwarding, sets the listening port to 2222 and disables password logins.

Unless you use DHCP you need to change "/etc/initramfs-tools/initramfs.conf" to set your IP configuration, change "IP" to:

IP=10.0.0.10::10.0.0.1:255.255.255.0:bastion

This will set your IP address to 10.0.0.10, your gateway to 10.0.0.1, your netmask to 255.255.255.0 and your hostname to "bastion".

Save the altered files and in order to rebuild the initial ram file system use the following command:

sudo update-initramfs -u

This will take several seconds on a fast machine.

Connect over the Internet

Since we have the SSH server listening on port 2222 you need to forward port 2222 to the server (if you want to unlock over the Internet). You need to connect from to your server (during the unlocking phase) using the following command:

ssh root@10.0.0.10 -p 2222

You may want to replace 10.0.0.10 with your public IP address or hostname. After connecting run:

cryptroot-unlock

This will allow you to enter a passphrase to unlock your root partition and continue the boot process.

Links


PS: Liked this article? Please share it on Facebook, Twitter or LinkedIn.