Unlock LUKS Partition with SSH

Below instructions are for booting your SERVER by connecting and unlocking the encrypted partition via your CLIENT over SSH:

WARNING: Typing your crypto key over network might be secure (due to the secure nature of the SSH connection) as long as you are completely certain that the initramfs has not been subjugated so that there is no MITM attack taking place while you are typing your disk passphrase.

1. Install mandatory packages (on SERVER)

apt-get install dropbear initramfs-tools busybox

Check that Dropbear has disabled itself in /etc/default/dropbear

NO_START=1

2. Append your desired public keys into the SERVER's authorized_keys file

Just copy and paste your public key(s) into /etc/dropbear-initramfs/authorized_keys on SERVER

3. Create the unlock script

Create the following script as /etc/initramfs-tools/hooks/crypt_unlock.sh

#!/bin/sh

PREREQ="dropbear"

prereqs() {
  echo "$PREREQ"
}

case "$1" in
  prereqs)
    prereqs
    exit 0
  ;;
esac

. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions

if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
cat > "${DESTDIR}/bin/unlock" << EOF
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
# following lines will be executed after the passphrase has been correctly entered
# kill the remote shell
kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\`
exit 0
fi
exit 1
EOF
  
  chmod 755 "${DESTDIR}/bin/unlock"
  
  mkdir -p "${DESTDIR}/lib/unlock"
cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
#!/bin/sh
[ "\$1" == "--ping" ] && exit 1
/bin/plymouth "\$@"
EOF
  
  chmod 755 "${DESTDIR}/lib/unlock/plymouth"
  
  echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
  
fi

Make it executable:

chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

Create the cleanup script as /etc/initramfs-tools/scripts/init-bottom/cleanup.sh:

#!/bin/sh
echo "Killing dropbear"
killall dropbear
exit 0

...and make it executable:

chmod +x /etc/initramfs-tools/scripts/init-bottom/cleanup.sh

4. Create a static IP (or skip this step to use DHCP)

Edit /etc/initramfs-tools/initramfs.conf to add (or change) the line:

IP=192.168.1.254::192.168.1.1:255.255.255.0::eth0:off

format: 

    IP=${ip}::${gateway_ip}:${netmask}:[${hostname}]:${eth_device}:${autoconf}

([hostname] can be omitted)

In newer kernels eth0 is renamed to enp0s3 (or something like that). Check that out with ls /sys/class/net

5. Update initramfs

WARNING: Be careful if you directly edited /boot/grub/grub.cfg, since it will be overwritten by below command. You may end up with a broken boot sequence. See the important note.

update-initramfs -u

6. Test

1. Reboot your server
2. Connect to your server via ssh [email protected] [-i ~/.ssh/id_rsa]

Advanced configuration

Create a Reverse Tunnel

You may want your SERVER to connect your Link Up Server with SSH, create a reverse tunnel to its SSH Server, so you can connect your SERVER over your Link Up Server, which eliminates the need for firewall forwarding for above process.

(see reverse-tunnel-setup.md)

Run Dropbear on additional ports

(based on https://askubuntu.com/a/840067/371730)

1. Define extra ports:

   --- /usr/share/initramfs-tools/scripts/init-premount/dropbear	2018-09-22 01:55:50.963967412 +0300
   +++ /usr/share/initramfs-tools/scripts/init-premount/dropbear	2018-09-22 01:56:04.091945164 +0300
   @@ -26,7 +26,7 @@
   -    exec /sbin/dropbear $DROPBEAR_OPTIONS -Fs
   +    exec /sbin/dropbear $DROPBEAR_OPTIONS -Fs -p 22 -p 80

2. Update initramfs:

   update-initramfs -u