Remote unlock encrypted LVM

Unlocking a LUKS-encrypted system disk remotely using Dropbear and SSH keys involves several steps. The general idea is to set up an environment where, during the early boot process, your system starts a small SSH server (Dropbear) that allows you to connect remotely and provide the necessary LUKS passphrase to decrypt the system disk. Here’s a simplified walkthrough to achieve this:

A note about config file locations:

The latest version of Debian (such as 12+), Ubuntu (22.04 LTS+), Linux Mint, and Pop!_OS uses the following new version config files and directories:

New Directory: /etc/dropbear/initramfs/
New config file: /etc/dropbear/initramfs/dropbear.conf
New files containing public keys for public key authentication: /etc/dropbear/initramfs/authorized_keys


The Older version (such as Debian 11 or Ubuntu 20.04 LTS) used the following config files:

Old Directory: /etc/dropbear-initramfs/
Old config file: /etc/dropbear-initramfs/config
Old files containing public keys for public key authentication: /etc/dropbear-initramfs/authorized_keys

###Step 1 – Installing the Dropbear on Debian or Ubuntu

#Apply security patches
sudo apt update
sudo apt upgrade
sudo apt install dropbear-initramfs

###Step 2 – Configuring the Dropbear to unlock LUKS encrypted system

#Use the su command or sudo command to become root user:
su -

#edit dropbrear config file (#old):
cd /etc/dropbear-initramfs/
nano config

#edit dropbrear config file (#new):
cd /etc/dropbear/initramfs/
nano dropbear.conf

#Edit/Update DROPBEAR_OPTIONS as follows:
DROPBEAR_OPTIONS="-I 180 -j -k -p 2222 -s -c cryptroot-unlock"

#Where options are follows:
-I 180 : Disconnect the session if no traffic is transmitted or received in 180 seconds.
-j : Disable ssh local port forwarding.
-k : Also disable remote port forwarding.
-p 2222 : Listen Dropbear ssh server on specified address and TCP port. In this example, use TCP/2222. If no -p option is given, it will listen on all addresses. Up to 10 can be specified. The default is TCP/22 if none specified.
-s : Disable password logins. We are going set up SSH Keys on a Linux / Unix system for authentication to reduce attack surface.
-c cryptroot-unlock : Disregard the command provided by the user and always run forced_command. This also overrides any authorized_keys command= option. In other words, unlock disk and do nothing else as soon as you type the ssh command. You can skip this option if you wish to type the cryptroot-unlock manually.

###Step 3 – Configuring static IP

#Edit the /etc/initramfs-tools/initramfs.conf
nano /etc/initramfs-tools/initramfs.conf

#Append static IP info for your Dropbear ssh during boot time:
IP=185.100.87.250::185.100.87.1:255.255.255.0:debian:eno49

#Where:

IP= – Start static IP config
:: – Field seprator
185.100.87.250 – IPv4
185.100.87.1 – Gateway
255.255.255.0 – Netmask
debian – Hostname
eno49 - Device

#The full syntax is as follows for IPv4 and IPv6 staitc IP settings:
ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:
<dns-server-0-ip>:<dns-server-1-ip>:<ntp0-ip>

###Step 4 – Updating or generating an initramfs image

#We use the update-initramfs whenever we make changes to /etc/initramfs-tools/initramfs.conf or /etc/dropbear-initramfs/config:
sudo update-initramfs -u

###Step 5 – Copy SSH keys for log in

#Copy your desktop client public key ~/.ssh/id_rsa.pub to your server:
(#old)
{client:~}$ cat ~/.ssh/id_rsa.pub | ssh root@185.100.87.250 "cat >> /etc/dropbear-initramfs/authorized_keys"
(#new)
{client:~}$ cat ~/.ssh/id_rsa.pub | ssh root@185.100.87.250 "cat >> /etc/dropbear/initramfs/authorized_keys"

#Make sure we update our initrd on your server as changes have been done:
{server:~}$ update-initramfs -u

###Step 6 – Test Linux server when we enable LUKS remote unlocking

#Reboot server
{server:~}$ reboot

#Ping server from client
{client:~}$ ping 185.100.87.250

#Let us log in using the ssh command once server replies toping requests:
{client:~}$ ssh -i ~/.ssh/id_rsa -p 2222 -o "HostKeyAlgorithms ssh-rsa" root@185.100.87.250

 

 

- **Continue Boot**: After unlocking the disk, the system should continue its boot process.

### Security Considerations

- **SSH Key Security**: Keep your private SSH key secure and use strong passphrases.
- **Firewall Configuration**: If possible, restrict SSH access to the Dropbear server to known IP addresses.
- **Dropbear Security**: Regularly check for updates to Dropbear to mitigate any security vulnerabilities.

This guide provides a general overview, and specific steps may vary based on your Linux distribution and setup. Always refer to your distribution’s documentation for detailed instructions tailored to your system.

  • 19 Los Usuarios han Encontrado Esto Útil
¿Fue útil la respuesta?

Artículos Relacionados

Veracrypt with Ubuntu

Because it is available via PPA, installing VeraCrypt on Ubuntu 15.04, Ubuntu 14.10, Ubuntu 14.04...

Encryption security overview and best practice

We will give in this article an overview about the security problems with preboot encryption on...