Hi, I am going to show you how to enable remote ssh unlocking of your LUKS encrypted file system. This procedure has been tested in Debian Buster and Ubuntu 20.04. For older versions configuration probably may be different.
If you opted for encrypting your root partition when installing you should type your encryption password in each reboot so this could be a problem in case you don’t have physical access to the computer or you don’t have any keyboard and monitor attached to it.
We will solve this with the dropbear-initramfs package. The idea is to run a dropbear ssh server in the early steps of the boot process. This way we will be able to ssh into it and put the encryption password. After this the system will boot normally.
Initial configuration
Firstly install the package:
apt update && apt install dropbear-initramfs
Set DROPBEAR_OPTIONS in ‘/etc/dropbear-initramfs/config’, here is an example:
DROPBEAR_OPTIONS="-p 5678 -s -j -k -I 60"
Options explanation, change them to fit your needs, type ‘man dropbear’ for further info:
- -p 5678: port where the ssh process will be listening.
- -s: disable password logins.
- -j: disable local port forwarding.
- -k: disable remote port forwarding.
- -I 60: idle timeout. Disconnect after 60 idle seconds.
Create the file ‘/etc/dropbear-initramfs/authorized_keys’ and put your public key on it. Then update your initramfs with this command:
update-initramfs -u
Network configuration
If you have DHCP configured for your network, you can skip this step. If no DHCP is enabled, then you should configure a fixed ip address through grub configuration. To do this, open ‘/etc/default/grub’ and update the GRUB_CMDLINE_LINUX_DEFAULT variable with the ip configuration, using this syntax: ‘ip=ip::gateway:mask:hostname:interface:none:’
# old line # GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX_DEFAULT="quiet ip=192.168.5.45::192.168.5.1:255.255.255.0:hostname:enp5s0:none:"
And then run ‘update-grub’ to update grub configuration.
update-grub
Final thoughts
Finally, you can reboot and test the configuration. Connect to the ip and port previously configured with your private key. After the connexion, type ‘cryptroot-unlock’ and your encryption password. The system will then finish boot normally.
Here is a command you can launch to automatically unlock without the need of connect and then typing your encryption password
ssh -p5678 -i yourprivatekey hostname "echo -ne \"password\" > /lib/cryptsetup/passfifo"
We have seen how to enable remote ssh unlocking for your LUKS encrypted file system. If you want to leave any comment, do it below.
It doesn’t work with an ed25519 key, when I added a rsa key it works lika a charm.
Much easier than it worked for 18.04 and previous versions.
debug1: Offering public key: /home/xx/.ssh/id_ed25519 ED25519 SHA256:VJE5Luj9UAA5UDvjhPUpzODTvwebFP95SGkFkj+JeYI
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/xx/.ssh/id_xmss
debug1: No more authentication methods to try.
xx@xxxxxxxxxx: Permission denied (publickey).
debug1: Will attempt key: /home/xx/.ssh/id_rsa RSA SHA256:TCLrDZINMVrpgUUU6dXl7hpMLkjX0NThJGpXXddlwuU
debug1: Will attempt key: /home/xx/.ssh/id_dsa
debug1: Will attempt key: /home/xx/.ssh/id_ecdsa
debug1: Will attempt key: /home/xx/.ssh/id_ed25519 ED25519 SHA256:VJE5Luj9UEASUDvjhPUpzODTvwebFP95SGkFkj+JeYI
debug1: Will attempt key: /home/xx/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/xx/.ssh/id_rsa RSA SHA256:TCLrDZINMVrpgUEfKLXl7hpMLkjX0NThJGpXXddlwuU
debug1: Server accepts key: /home/xx/.ssh/id_rsa RSA SHA256:TCLrDZINMVrpgUKL6dXl7hpMLkjX0NThJGpXXddlwuU
debug1: Authentication succeeded (publickey).
Hi, thanks for the info, this is related to dropbear not supporting ed25519 keys, although I am not sure if they are supported in dropbear newest versions nor if they are planning to support them.
Hope this can give light to people facing the same issue, thanks for your comment!
Hi, tested in Ubuntu 21.10, ed25519 still not supported by dropbear …
but shall be supported in Version: 2020.79
See: https://github.com/openzfs/zfs/blob/master/contrib/initramfs/README.initramfs.markdown
Yes, You are right. Hopefully We will see this packaged soon. Thanks for the follow up.
https://github.com/openzfs/zfs/blob/4a4e1683926d41b601578dbb7d4cd8d84dd230bf/contrib/initramfs/README.md