Hi, I am going to show you how to enable remote ssh unlocking of your LUKS encrypted file system. This procedure has been tested in Debian Buster and Ubuntu 20.04. For older versions configuration probably may be different.
If you opted for encrypting your root partition when installing you should type your encryption password in each reboot so this could be a problem in case you don’t have physical access to the computer or you don’t have any keyboard and monitor attached to it.
We will solve this with the dropbear-initramfs package. The idea is to run a dropbear ssh server in the early steps of the boot process. This way we will be able to ssh into it and put the encryption password. After this the system will boot normally.
Firstly install the package:
apt update && apt install dropbear-initramfs
Set DROPBEAR_OPTIONS in ‘/etc/dropbear-initramfs/config’, here is an example:
DROPBEAR_OPTIONS="-p 5678 -s -j -k -I 60"
Options explanation, change them to fit your needs, type ‘man dropbear’ for further info:
- -p 5678: port where the ssh process will be listening.
- -s: disable password logins.
- -j: disable local port forwarding.
- -k: disable remote port forwarding.
- -I 60: idle timeout. Disconnect after 60 idle seconds.
Create the file ‘/etc/dropbear-initramfs/authorized_keys’ and put your public key on it. Then update your initramfs with this command:
If you have DHCP configured for your network, you can skip this step. If no DHCP is enabled, then you should configure a fixed ip address through grub configuration. To do this, open ‘/etc/default/grub’ and update the GRUB_CMDLINE_LINUX_DEFAULT variable with the ip configuration, using this syntax: ‘ip=ip::gateway:mask:hostname:interface:none:’
# old line # GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX_DEFAULT="quiet ip=192.168.5.45::192.168.5.1:255.255.255.0:hostname:enp5s0:none:"
And then run ‘update-grub’ to update grub configuration.
Finally, you can reboot and test the configuration. Connect to the ip and port previously configured with your private key. After the connexion, type ‘cryptroot-unlock’ and your encryption password. The system will then finish boot normally.
Here is a command you can launch to automatically unlock without the need of connect and then typing your encryption password
ssh -p5678 -i yourprivatekey hostname "echo -ne \"password\" > /lib/cryptsetup/passfifo"
We have seen how to enable remote ssh unlocking for your LUKS encrypted file system. If you want to leave any comment, do it below.