Remote unlock encrypted LVM
To unlock full encrypted servers that use encrypted LVMs without having physical access to the server or a terminal, you need to install a ssh-daemon that works before the initramfs is mounting the root file system. To achieve this you can use the ssh-server “dropbear”.
Note: It is assumed that you are logged in as the root user. This installation is for Ubuntu but works for any other Linux system.
After installing the ssh-server and the BusyBox Shell by issuing the following command:
apt-get install dropbear busybox
You have to check if the parameter “DROPBEAR” in your servers initramfs configuration is set to 'y'.
cat /etc/initramfs-tools/initramfs.conf | grep DROPBEAR
If the parameter is missing, just add it by using the following command:
echo "DROPBEAR=y" >> /etc/initramfs-tools/initramfs.conf
To make the initramfs remote-accessible you also need to change some network settings.
Your initramfs configuration must contain the parameters DEVICE and IP and they should match your servers network configuration.
echo "DEVICE=eth0" >> /etc/initramfs-tools/initramfs.conf
echo "IP=:192.168.1.2::220.127.116.11::255.255.255.0::eth0:off" \ >> /etc/initramfs-tools/initramfs.conf
after editing the file you have to execute the following command to apply all changes.
Now you need to configure the SSH-access to your server. To enhance your servers security, it is recommended to delete the preinstalled keys on your server:
rm -f /etc/initramfs-tools/root/.ssh/id_*
And create new keys on your client. To do this you can use putty-keygen on a windows client or ssh-keygen on a linux client. Make sure that you use the maximum keysize.
After creating the keypair, you need to append the public key to the following file on your server:
If you configured everything properly you should now be able to access the server using the private key of your keypair for authentication.
To unlock your encrypted LVMs, you now need to execute the following command:
echo -n "your password" > /lib/cryptsetup/passfifo
The server will now boot and close the connection if an openssh server is installed .
Note: As Dorpbear and openssh by default are using the same known_host file, it can occur that you trigger a warning as you access the openssh_shell.