Unlocking a LUKS-encrypted system disk remotely using Dropbear and SSH keys involves several steps. The general idea is to set up an environment where, during the early boot process, your system starts a small SSH server (Dropbear) that allows you to connect remotely and provide the necessary LUKS passphrase to decrypt the system disk. Here’s a simplified walkthrough to achieve this:
A note about config file locations:
The latest version of Debian (such as 12+), Ubuntu (22.04 LTS+), Linux Mint, and Pop!_OS uses the following new version config files and directories:
New Directory: /etc/dropbear/initramfs/
New config file: /etc/dropbear/initramfs/dropbear.conf
New files containing public keys for public key authentication: /etc/dropbear/initramfs/authorized_keys
The Older version (such as Debian 11 or Ubuntu 20.04 LTS) used the following config files:
Old Directory: /etc/dropbear-initramfs/
Old config file: /etc/dropbear-initramfs/config
Old files containing public keys for public key authentication: /etc/dropbear-initramfs/authorized_keys
###Step 1 – Installing the Dropbear on Debian or Ubuntu
#Apply security patches
sudo apt update
sudo apt upgrade
sudo apt install dropbear-initramfs
###Step 2 – Configuring the Dropbear to unlock LUKS encrypted system
#Use the su command or sudo command to become root user:
su -#edit dropbrear config file (#old):
cd /etc/dropbear-initramfs/
nano config#edit dropbrear config file (#new):
cd /etc/dropbear/initramfs/
nano dropbear.conf#Edit/Update DROPBEAR_OPTIONS as follows:
DROPBEAR_OPTIONS="-I 180 -j -k -p 2222 -s -c cryptroot-unlock"
#Where options are follows:
-I 180 : Disconnect the session if no traffic is transmitted or received in 180 seconds.
-j : Disable ssh local port forwarding.
-k : Also disable remote port forwarding.
-p 2222 : Listen Dropbear ssh server on specified address and TCP port. In this example, use TCP/2222. If no -p option is given, it will listen on all addresses. Up to 10 can be specified. The default is TCP/22 if none specified.
-s : Disable password logins. We are going set up SSH Keys on a Linux / Unix system for authentication to reduce attack surface.
-c cryptroot-unlock : Disregard the command provided by the user and always run forced_command. This also overrides any authorized_keys command= option. In other words, unlock disk and do nothing else as soon as you type the ssh command. You can skip this option if you wish to type the cryptroot-unlock manually.
###Step 3 – Configuring static IP
#Edit the /etc/initramfs-tools/initramfs.conf
nano /etc/initramfs-tools/initramfs.conf#Append static IP info for your Dropbear ssh during boot time:
IP=185.100.87.250::185.100.87.1:255.255.255.0:debian:eno49
#Where:
IP= – Start static IP config
:: – Field seprator
185.100.87.250 – IPv4
185.100.87.1 – Gateway
255.255.255.0 – Netmask
debian – Hostname
eno49 - Device
#The full syntax is as follows for IPv4 and IPv6 staitc IP settings:
ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:
<dns-server-0-ip>:<dns-server-1-ip>:<ntp0-ip>
###Step 4 – Updating or generating an initramfs image
#We use the update-initramfs whenever we make changes to /etc/initramfs-tools/initramfs.conf or /etc/dropbear-initramfs/config:
sudo update-initramfs -u
###Step 5 – Copy SSH keys for log in
#Copy your desktop client public key ~/.ssh/id_rsa.pub to your server:
(#old)
{client:~}$ cat ~/.ssh/id_rsa.pub | ssh root@185.100.87.250 "cat >> /etc/dropbear-initramfs/authorized_keys"
(#new)
{client:~}$ cat ~/.ssh/id_rsa.pub | ssh root@185.100.87.250 "cat >> /etc/dropbear/initramfs/authorized_keys"#Make sure we update our initrd on your server as changes have been done:
{server:~}$ update-initramfs -u
###Step 6 – Test Linux server when we enable LUKS remote unlocking
#Reboot server
{server:~}$ reboot#Ping server from client
{client:~}$ ping 185.100.87.250#Let us log in using the ssh command once server replies toping requests:
{client:~}$ ssh -i ~/.ssh/id_rsa -p 2222 -o "HostKeyAlgorithms ssh-rsa" root@185.100.87.250
- **Continue Boot**: After unlocking the disk, the system should continue its boot process.
### Security Considerations
- **SSH Key Security**: Keep your private SSH key secure and use strong passphrases.
- **Firewall Configuration**: If possible, restrict SSH access to the Dropbear server to known IP addresses.
- **Dropbear Security**: Regularly check for updates to Dropbear to mitigate any security vulnerabilities.
This guide provides a general overview, and specific steps may vary based on your Linux distribution and setup. Always refer to your distribution’s documentation for detailed instructions tailored to your system.