Ubuntu 14.04.3
Install dropbear SSH server with automated hooks for being included in an initramfs.
apt-get install dropbear
Remove default private/public key for login, clear dss key (would be regenererated otherwise), remove insecure 1024-bit RSA host key and generate a new 2048-bit RSA host key (we'll have to keep the DSA-key, dropbear won't start otherwise - make sure to use RSA when connecting):
rm /etc/initramfs-tools/root/.ssh/id_rsa.{dropbear,pub}
rm /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
dropbearkey -t rsa -s 2048 -f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
Add public keys to /etc/initramfs-tools/root/.ssh/authorized_keys.
Make dropbear run on port 222 - edit /usr/share/initramfs-tools/scripts/init-premount/dropbear and change one of the last few lines starting dropbear to:
/sbin/dropbear -p 222
Regenerate initramfs:
update-initramfs -u
Find the cryptsetup pcommand by running ps |grep cryptsetup. kill makes the boot process continue.
Unlocking then looks like this:
# /sbin/cryptsetup -T 1 --allow-discards luksOpen /dev/disk/by-uuid/<SOME UUID> sda3_crypt
Enter passphrase for /dev/disk/by-uuid/<SOME UUID>:
# kill -9 `pidof plymouth`
If you're getting a connection refused when trying to connect, dropbear might fail to start. You can use a rescue shell (add break=premount to the grub line beginning with linux) for debugging. Try to start dropbear with dropbear -F -E (foreground, logging to stderr) and see what happens.
I had one of the key files accidentally empty, which resulted in an error message including bad buf_getptr.
/usr/share/initramfs-tools/hooks/dropbear- script that sets up dropbear in initramfs/usr/share/initramfs-tools/scripts/init-premount/dropbear- script that starts dropbear
Quite a few of the following pages confuse how dropbear is configured on the root system vs. the initramfs and might also confuse or complicate other things. These are just the pages I looked at when setting this up.
- https://unix.stackexchange.com/questions/37024/how-to-open-a-port-early-in-boot-process-to-unlock-luks-via-ssh
- https://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/comment-page-1
- https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/
- https://askubuntu.com/questions/620136/unable-to-ssh-remote-unlock-encrypted-ubuntu-server-15-04-using-dropbear-initram
- https://chicagolug.org/news/2015-10-09-remotely-unlock-encrypted-server-with-dropbear.html
- https://github.com/rhansen/unlock-cryptroot
- https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/595648 (comment #5 has a workaround)
- https://beuwolf.wordpress.com/2010/12/28/unlocking-a-luks-encrypted-root-partition-via-ssh-has-become-very-easy/