Debian, Encryption, Security

Remote unlocking LUKS encrypted LVM

Install dropbear on server

sudo apt-get install dropbear

Generate an SSH key pair on the client system (the one which will be used to unlock the remote machine)

http://securityblog.gr/3657/how-to-setup-ssh-keys/

Stop dropbear from starting on normal boot on Server

sudo update-rc.d -f dropbear remove

Auto start dropbear

sudo sed -i -e 's/NO_START=0/NO_START=1/' /etc/default/dropbear

Remove the keys it created

sudo rm /etc/initramfs-tools/root/.ssh/id_rsa.*
sudo rm -f /etc/dropbear/dropbear_{rsa,dss,ecdsa}_host_key

Copy back the host key back to initramfs so ssh clients are not confused

sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key

Remove the OpenSSH ECDSA key

sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key
sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key

Insert your SSH public key (.pub) into the remote machine’s /etc/dropbear/root_key

ssh-copy-id username@remote-server -p port

Execute the following command on the remote system

sudo cat /home/username/.ssh/authorized_keys > /etc/dropbear/root_key

Allow user’s ssh key to ssh into boot

sudo cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/

Create the unlock script

sudo nano /etc/initramfs-tools/hooks/crypt_unlock.sh

Contents

#!/bin/sh
 
PREREQ="dropbear"
 
prereqs() {
echo "$PREREQ"
}
 
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
 
. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions
 
if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
cat > "${DESTDIR}/bin/unlock" << EOF #!/bin/sh if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` # following line kill the remote shell right after the passphrase has # been entered. kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\` exit 0 fi exit 1 EOF chmod 755 "${DESTDIR}/bin/unlock" mkdir -p "${DESTDIR}/lib/unlock" cat > "${DESTDIR}/lib/unlock/plymouth" << EOF #!/bin/sh [ "\$1" == "--ping" ] && exit 1 /bin/plymouth "\$@" EOF chmod 755 "${DESTDIR}/lib/unlock/plymouth" echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
 
fi
sudo chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

Update the initramfs boot partition

sudo update-initramfs -u

Set a Static IP on boot

sudo nano /etc/default/grub

Edit this line

GRUB_CMDLINE_LINUX="ip=local_ip::gateway:255.255.255.0::eth0:none"
sudo update-grub

Connect to remote server

ssh root@server_ip

Execute

unlock

You will be disconnected and you have to login back using your original ssh service.

Reference
* https://maruel.net/post/remote-luks-unlock/
* https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/
* https://www.eugenemdavis.com/set-static-ip-initramfs.html