Remote unlock encrypted LVM

Remote unlock encrypted LVM

 

To unlock full encrypted servers that use encrypted LVMs without having physical access to the server or a terminal, you need to install a ssh-daemon that works before the initramfs is mounting the root file system. To achieve this you can use the ssh-server “dropbear”.

 

Note: It is assumed that you are logged in as the root user. This installation is for Ubuntu but works for any other Linux system.

 

After installing the ssh-server and the BusyBox Shell by issuing the following command:

 

apt-get install dropbear busybox

You have to check if the parameter “DROPBEAR” in your servers initramfs configuration is set to 'y'.

 

cat /etc/initramfs-tools/initramfs.conf | grep DROPBEAR

If the parameter is missing, just add it by using the following command:

 

echo "DROPBEAR=y" >> /etc/initramfs-tools/initramfs.conf

To make the initramfs remote-accessible you also need to change some network settings.

Your initramfs configuration must contain the parameters DEVICE and IP and they should match your servers network configuration.

echo "DEVICE=eth0" >> /etc/initramfs-tools/initramfs.conf
echo "IP=:192.168.1.2::182.168.1.1::255.255.255.0::eth0:off" \ >> /etc/initramfs-tools/initramfs.conf

 

after editing the file you have to execute the following command to apply all changes.

 

update-initramfs -u

Now you need to configure the SSH-access to your server. To enhance your servers security, it is recommended to delete the preinstalled keys on your server:

 

rm -f /etc/initramfs-tools/root/.ssh/id_*

And create new keys on your client. To do this you can use putty-keygen on a windows client or ssh-keygen on a linux client. Make sure that you use the maximum keysize.

After creating the keypair, you need to append the public key to the following file on your server:

 

/etc/initramfs-tools/root/.ssh/authorized_keys

If you configured everything properly you should now be able to access the server using the private key of your keypair for authentication.

To unlock your encrypted LVMs, you now need to execute the following command:

echo -n "your password" > /lib/cryptsetup/passfifo

The server will now boot and close the connection if an openssh server is installed .

Note: As Dorpbear and openssh by default are using the same known_host file, it can occur that you trigger a warning as you access the openssh_shell.

  • 15 Users Found This Useful
Was this answer helpful?

Related Articles

Veracrypt with Ubuntu

Because it is available via PPA, installing VeraCrypt on Ubuntu 15.04, Ubuntu 14.10, Ubuntu 14.04...

Encryption security overview and best practice

We will give in this article an overview about the security problems with preboot encryption on...