Skip to content

Instantly share code, notes, and snippets.

@ascarter

ascarter/remote_luks_unlock.md

Last active March 3, 2023 16:49
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ascarter/c4d640d72728c2ea9c63b584e53f42b4 to your computer and use it in GitHub Desktop.
Save ascarter/c4d640d72728c2ea9c63b584e53f42b4 to your computer and use it in GitHub Desktop.
Download ZIP
Remote Unlock LUKS Encrypted Drive
Raw
remote_luks_unlock.md

Remote Unlock LUKS Encrypted Drive

Initial Setup

Provision drive using installer for LUKS/LVM

Typical configuration:

% lsblk -f
NAME                  FSTYPE      LABEL UUID                                   FSAVAIL FSUSE% MOUNTPOINT
loop0                 squashfs                                                       0   100% /snap/gnome-3-34-1804/72
loop1                 squashfs                                                       0   100% /snap/core18/2128
loop2                 squashfs                                                       0   100% /snap/gtk-common-themes/1515
loop3                 squashfs                                                       0   100% /snap/snap-store/547
loop4                 squashfs                                                       0   100% /snap/snapd/12704
sda
sdb
sdc
sdd
nvme1n1
nvme0n1
├─nvme0n1p1           vfat              A102-AE5A                               505.8M     1% /boot/efi
├─nvme0n1p2           ext4              3f227536-5afb-4818-bc99-43b827ee5f4b    426.2M    32% /boot
└─nvme0n1p3           crypto_LUKS       e9518cd4-29a6-4e76-9af2-6e7cfda6c009
  └─nvme0n1p3_crypt   LVM2_member       vFiTrB-rcQw-OSID-NsN3-ircC-GNam-KOJia7
    ├─vgubuntu-root   ext4              a7d1a3da-4338-4425-b8d5-a9f431a9d046      431G     2% /
    └─vgubuntu-swap_1 swap              db1e2d5b-9eaf-4870-ba9b-6b6c1e00a837                  [SWAP]

Remote Unlocking Overview

Kernel loads initramfs image. In the image are required files/modules/scripts for decrypting/mounting the root partition. Run Dropbear SSH and BusyBox to enable remote connection to unlock root partition on boot.

Install Dropbear for initramfs

% apt-get install dropbear-initramfs

Dropbear SSH Keys

Install generates dss/rsa/ecdsa host keys in /etc/dropbear-initramfs. The keys should be different than OpenSSH host keys. This can cause a man in the middle warning on clients. Use a different port for dropbear ssh to solve this issue.

Dropbear Configuration

See man dropbear for details on command line options.

Edit /etc/dropbear-initramfs/config to listen on port 2222:

DROPBEAR_OPTIONS="-s -j -k -I 60 -p 2222"

SSH Authentication

Password login is disabled. Add public keys to /etc/dropbear-initramfs/authorized_keys. RSA is generally advised.

Add to authorized_keys like the following:

no-port-forwarding,no-agent-forwarding,no-x11-forwarding,command="/bin/cryptroot-unlock" ssh-rsa ...

Static IP

If DHCP not available, add following to set a static IP on startup:

/etc/initramfs-tools/initramfs.conf:

IP=192.168.1.254::192.168.1.1:255.255.255.0::eth0:off

format [host ip]::[gateway ip]:[netmask]:[hostname]:[device]:[autoconf] ([hostname] can be omitted)

Network interfaces:

ls /sys/class/net

Regenerate initramfs

To regenerate after updating configuration:

% update-initramfs -u

Client Connection

ssh-keygen -t rsa -b 4096 -C "user@example.com"

~/.ssh/config:

Host host-startup
	Hostname host
	Port 2222
	User root
	HostKeyAlgorithms ssh-rsa
	IdentityFile ~/.ssh/id_rsa

References

How to install LUKS encrypted Ubuntu 18.04.x Server and enable remote unlocking | Hamy - The IT Guy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment