Skip to content

LUKS encryption: Enable remote ssh unlocking

Enable remote ssh unlocking

Hi, I am going to show you how to enable remote ssh unlocking of your LUKS encrypted file system. This procedure has been tested in Debian Buster and Ubuntu 20.04. For older versions configuration probably may be different.

If you opted for encrypting your root partition when installing you should type your encryption password in each reboot so this could be a problem in case you don’t have physical access to the computer or you don’t have any keyboard and monitor attached to it.

We will solve this with the dropbear-initramfs package. The idea is to run a dropbear ssh server in the early steps of the boot process. This way we will be able to ssh into it and put the encryption password. After this the system will boot normally.

Initial configuration

Firstly install the package:

apt update && apt install dropbear-initramfs

Set DROPBEAR_OPTIONS in ‘/etc/dropbear-initramfs/config’, here is an example:

DROPBEAR_OPTIONS="-p 5678 -s -j -k -I 60"

Options explanation, change them to fit your needs, type ‘man dropbear’ for further info:

  • -p 5678: port where the ssh process will be listening.
  • -s: disable password logins.
  • -j: disable local port forwarding.
  • -k: disable remote port forwarding.
  • -I 60: idle timeout. Disconnect after 60 idle seconds.

Create the file ‘/etc/dropbear-initramfs/authorized_keys’ and put your public key on it. Then update your initramfs with this command:

update-initramfs -u

Network configuration

If you have DHCP configured for your network, you can skip this step. If no DHCP is enabled, then you should configure a fixed ip address through grub configuration. To do this, open ‘/etc/default/grub’ and update the GRUB_CMDLINE_LINUX_DEFAULT variable with the ip configuration, using this syntax: ‘ip=ip::gateway:mask:hostname:interface:none:’

# old line
# GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX_DEFAULT="quiet ip=192.168.5.45::192.168.5.1:255.255.255.0:hostname:enp5s0:none:"

And then run ‘update-grub’ to update grub configuration.

update-grub

Final thoughts

Finally, you can reboot and test the configuration. Connect to the ip and port previously configured with your private key. After the connexion, type ‘cryptroot-unlock’ and your encryption password. The system will then finish boot normally.

Here is a command you can launch to automatically unlock without the need of connect and then typing your encryption password

ssh -p5678 -i yourprivatekey hostname "echo -ne \"password\" > /lib/cryptsetup/passfifo"

We have seen how to enable remote ssh unlocking for your LUKS encrypted file system. If you want to leave any comment, do it below.

3 thoughts on “LUKS encryption: Enable remote ssh unlocking”

  1. It doesn’t work with an ed25519 key, when I added a rsa key it works lika a charm.
    Much easier than it worked for 18.04 and previous versions.

  2. debug1: Offering public key: /home/xx/.ssh/id_ed25519 ED25519 SHA256:VJE5Luj9UAA5UDvjhPUpzODTvwebFP95SGkFkj+JeYI
    debug1: Authentications that can continue: publickey
    debug1: Trying private key: /home/xx/.ssh/id_xmss
    debug1: No more authentication methods to try.
    xx@xxxxxxxxxx: Permission denied (publickey).

    debug1: Will attempt key: /home/xx/.ssh/id_rsa RSA SHA256:TCLrDZINMVrpgUUU6dXl7hpMLkjX0NThJGpXXddlwuU
    debug1: Will attempt key: /home/xx/.ssh/id_dsa
    debug1: Will attempt key: /home/xx/.ssh/id_ecdsa
    debug1: Will attempt key: /home/xx/.ssh/id_ed25519 ED25519 SHA256:VJE5Luj9UEASUDvjhPUpzODTvwebFP95SGkFkj+JeYI
    debug1: Will attempt key: /home/xx/.ssh/id_xmss
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key: /home/xx/.ssh/id_rsa RSA SHA256:TCLrDZINMVrpgUEfKLXl7hpMLkjX0NThJGpXXddlwuU
    debug1: Server accepts key: /home/xx/.ssh/id_rsa RSA SHA256:TCLrDZINMVrpgUKL6dXl7hpMLkjX0NThJGpXXddlwuU
    debug1: Authentication succeeded (publickey).

    1. Hi, thanks for the info, this is related to dropbear not supporting ed25519 keys, although I am not sure if they are supported in dropbear newest versions nor if they are planning to support them.
      Hope this can give light to people facing the same issue, thanks for your comment!

Leave a Reply

Your email address will not be published. Required fields are marked *