Skip to content

Instantly share code, notes, and snippets.

@cmsj

cmsj/ansible-dropbear-initramfs.md

Last active February 28, 2024 07:05
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save cmsj/94441d96568f3415a0258452cc582c21 to your computer and use it in GitHub Desktop.
Save cmsj/94441d96568f3415a0258452cc582c21 to your computer and use it in GitHub Desktop.
Download ZIP
Ansible to add dropbear (ie an SSH server) to your initramfs, for unlocking encrypted root partitions
Raw
ansible-dropbear-initramfs.md

This is some Ansible (for Ubuntu 22.04) to install and configure your initramfs to run dropbear (ie an SSH server).

Super handy if you have an encrypted root partition and don't have physical access to the machine to enter the encryption passphrase on the console.

Notes:

  • You'll need to put your actual public SSH keys, instead of the blahblah placeholder I have here
  • I set dropbear to run on port 31337 so the hostkey doesn't clash with the main OS' key in your ~/.ssh/known_hosts
  • This expects to be able to trigger two Ansible handlers when it makes changes, they are listed separately at the bottom
  • You'll need to change the GRUB_CMDLINE_LINUX_DEFAULT line below to have the actual IP/gateway/NIC/hostname you want the kernel to configure
  • After you ssh in when the machine is booting, the command to actually unlock the root filesystem is: cryptroot-unlock
# This is a playbook version of https://hamy.io/post/0005/remote-unlocking-of-luks-encrypted-root-in-ubuntu-debian/

- name: Install dropbear-initramfs
  apt:
    name: dropbear-initramfs
    state: present

- name: Install busybox-static
  apt:
    name: busybox-static
    state: present

- name: Configure dropbear-initramfs options
  lineinfile:
    path: /etc/dropbear/initramfs/dropbear.conf
    regexp: 'DROPBEAR_OPTIONS'
    line: 'DROPBEAR_OPTIONS="-p 31337 -s -j -k -I 60"'
  notify: update initramfs

- name: Add dropbear authorized_keys
  copy:
    dest: /etc/dropbear/initramfs/authorized_keys
    mode: 0600
    owner: root
    group: root
    content: |
      ssh-rsa AAAAblahblahsshpubkey foo@bar
  notify: update initramfs

# The format of the ip= kernel parameter is: <client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
# It comes from https://git.kernel.org/pub/scm/libs/klibc/klibc.git/tree/usr/kinit/ipconfig/README.ipconfig?id=HEAD
- name: Configure boot IP and consoleblanking
  lineinfile:
    path: /etc/default/grub
    regexp: 'GRUB_CMDLINE_LINUX_DEFAULT'
    line: 'GRUB_CMDLINE_LINUX_DEFAULT="ip=192.168.0.10::192.168.0.1:255.255.255.0:somehostname:eth0:none"'
  notify: update grub

Ansible handlers:

- name: update initramfs
  command: update-initramfs -u

- name: update grub
  command: update-grub
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment