This is a quick run-down of how I installed Debian on my dedicated server (@ OVH - super cheap!), and managed to setup an encrypted rootfs with ssh during boot to unlock. This is both for the offchance that I'll have to do it again, and if anyone else is wanting to do the same thing. There are a few guides out there to get the unlocking over SSH, and a few for remote installation of Debian, but none that combine the two.
These instructions need an existing Debian install, although Ubuntu might work too.
Source for this part of the guide was here
-
Get Debian installer source and dependencies.
apt-get install dpkg-dev apt-get source debian-installer apt-get build-dep debian-installer -
Enable
network-consoleby adding the following to the top ofbuild/pkg-lists/netboot/<arch>.cfg. Replace<arch>with your architecture. In my case this was amd64.#include "network-console" -
Create a
preseed.cfgfile for the installer (I created it in~). This defaults values that would otherwise be asked for, which you won't be able to answer as they all come before (or are) the network setup. The following are the values I used, at the very least you need to set the locale and keymap, and setup the network andnetwork-console. Thepkg-selline is fordropbear, which we need later.d-i debian-installer/locale string en_US d-i keymap select us d-i keyboard-configuration/xkb-keymap select us d-i keyboard-configuration/variant select American English d-i debconf/priority select critical d-i auto-install/enabled boolean true d-i netcfg/choose_interface select eth0 d-i netcfg/disable_dhcp boolean true d-i netcfg/get_nameservers string <name server> d-i netcfg/get_ipaddress string <IP address> d-i netcfg/get_netmask string <netmask> d-i netcfg/get_gateway string <gateway> d-i netcfg/confirm_static boolean true d-i netcfg/get_hostname string <host> d-i netcfg/get_domain string <domain.tld> d-i network-console/password password <password> d-i network-console/password-again password <password> d-i pkgsel/include string busybox dropbear -
Create
build/config/localwith the following. Obviously change thepreseed.cfgpath if you didn't save it in~, and change stable if you want to use testing or a specific code name.PRESEED=~/preseed.cfg USE_UDEBS_FROM=stable -
Change into the
builddirectory and build the netboot image.fakeroot make rebuild_netboot -
Copy the
initrd.gzandlinuxinbuild/dest/netboot/debian-installer/<arch>/to/boot/asdebian-installer-rd.gzanddebian-installerrespectively. -
Update your bootloader to point to these new files. As I couldn't change which entry was chosen at boot, I just edited the first entry in
/boot/grub/grub.cfg, but YMMV. Below is what I changed my grub lines to.menuentry 'Debian Installer' --class debian --class gnu-linux --class gnu --class os { load_video insmod gzio insmod part_msdos insmod ext2 set root='(hd0,msdos1)' echo 'Loading Installer ...' linux /boot/debian-installer rw ramdisk_size=24000 root=/dev/rd/0 echo 'Loading Installer Ramdisk ...' initrd /boot/debian-installer-rd.gz } -
Reboot and cross your fingers! After a while, you should be able to ping the machine again, and can log in with
ssh installer@<ip address>. The password is as chosen earlier in thepreseed.cfg.
The installation should go as usual, choose the expert install and follow the steps. When it comes to partitioning, if the HDD is pretty big, you probably won't want to use the guided crypto option, as it will take forever and SSH will kick you out long before it finishes. I set up the partitions manually, being sure to uncheck the erase HDD option for the encryption part. Sure this isn't as perfect as it could have been, but the wiping takes forever.
Don't complete the installation - go to the next section!
If it'd help, I could redo this in a VM to get a screenshot of my setup - let me know
Source for this part of the guide, as well as the unlocking script is here
-
Drop to a shell with
Execute a shell. -
Mount special devices to the new system and chroot to it so that you can update the ramdisk later.
cd /target mount -t proc proc proc/ mount -t sysfs sys sys/ mount -o bind /dev dev/ chroot . /bin/bash -
Get the generated SSH keys for
dropbear. I couldn't get SCP to work at this point, so had to usecat. Paste the results of cat into a local file, such as~/.ssh/id_rsa-unlockand~/.ssh/id_rsa-unlock.pub.cat /etc/initramfs-tools/root/.ssh/id_rsa cat /etc/initramfs-toold/root/.ssh/id_rsa.pub -
Add your ethernet drivers to
/etc/initramfs-tools/modules. Don't be shy here, if you're not sure which ethernet drivers fromlsmodare the right ones, put them all in! I don't know of any downsides to that strategy, and if you don't get the actual driver in there, you won't be able to unlock your rootfs! I think the top one was what I needed, but the others were loaded too.8139too e1000e e100 e1000 r8169 -
Edit
/etc/initramfs-tools/initramfs.conf.DEVICE=eth0 IP=<ip address>::<gateway>:<netmask>:<hostname>:eth0:off DROPBEAR=y -
Download unlocking script and
chmodit.cd /etc/initramfs-tools/hooks wget http://projectgus.com/files/headless_cryptroot/mount_cryptroot chmod +x mount_cryptroot -
Rebuild the ramdisk.
update-initramfs -u -t -
Exit the
chroot, then the shell, and finish installation. -
Keep your fingers, toes and everything else crossed. Eventually you should be able to ping the server again, and login with SSH.
ssh -i ~/.ssh/id_rsa-unlock root@<ip address>
It might be a good idea to add this to your SSH config (~/.ssh/config):
Host unlock
HostName <ip address>
Port 22
User root
IdentityFile ~/.ssh/id_rsa-unlock
UserKnownHostsFile ~/.ssh/known_hosts-unlock
Then you can just use ssh unlock.
If there are any mistakes, or any steps aren't clear, please let me know.
I am not good with GFM.