Debian: Unlock LUKS root partition remotely by SSH using dropbear

Scenario

  • You want to unlock a system remotely during boot process.
  • Your root partition is a LVM volume.
  • Your LVM setup is fully encrypted with LUKS.
  • You’re running Debian 10/Buster on the remote system.

How To

This tutorial describes an option to unlock your system remotely using SSH and dropbear.

apt-get install -yy dropbear-initramfs cryptsetup-initramfs lvm2

echo 'DROPBEAR_OPTIONS="-RFEsjk"' > /etc/dropbear-initramfs/config

echo 'no-port-forwarding,no-agent-forwarding,no-x11-forwarding,command="/bin/cryptroot-unlock" <YOUR_PUBLIC_KEY>' > /etc/dropbear-initramfs/authorized_keys

# Check if /etc/crypttab contains following entry:
sda2_crypt /dev/sda2 none luks,initramfs

# Add network support to the initramfs; replace variables with your server's network configuration
echo 'IP="${ip_address}::${gateway_ip}:${netmask}:${optional_fqdn}:${interface_name}:none"' > /etc/initramfs-tools/conf.d/ip

update-initramfs -k all -u

Explanation

  • Package dropbear-initramfs adds SSH-support to the initramfs during boot.
  • Package cryptsetup-initramfs provides scripts required to unlock the LUKS device.
  • Package lvm2 is required to identify and mount LVM volumes after unlocking LUKS-encrypted devices.
  • Options from /etc/dropbear-initramfs/config let the dropbear server start in foreground during initramfs stage, so the boot process waits for LUKS devices to get unlocked.
  • You have to add your local SSH authorized key for dropbear.
    • When logging in with that key the program cryptroot-unlock should be launched directly to allow unlocking the device immediately after login.
  • The entry of /etc/crypttab informs cryptsetup to handle that LUKS within the initramfs stage.
  • Through the IP option initramfs will configure the given network device, so you can connect to the SSH dropbear service on boot time.
    • If the IP kernel parameter is not specified, dropbear will not start either.
    • Actually the IP parameter was intended to mount the root filesystem from an NFS server over the network but it can also be used to just assign an IP address.
    • You can also enable DHCP for IP allocation:
      • ip=::::${optional_fqdn}:${device}:dhcp
  • Don’t forget to run update-initramfs so dropbear and the IP settings are added to the initramfs files.
  • Now you can reboot your system and try to unlock it via SSH.

Example

A successful initramfs configuration looks like this, when booting the server:

user@localhost:~$ ssh root@123.45.67.89
The authenticity of host '123.45.67.89 (123.45.67.89)' can't be established.
RSA key fingerprint is SHA256:W9CvWlZYo1I2A4Aed0tpkz2knOfUuIpcRTR74OJhLWKo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '123.45.67.89' (RSA) to the list of known hosts.
[222] Dec 22 12:58:56 lastlog_perform_login: Couldn't stat /var/log/lastlog: No such file or directory
[222] Dec 22 12:58:56 lastlog_openseek: /var/log/lastlog is not a file or directory!
Please unlock disk sda2_crypt: 
cryptsetup: sda2_crypt set up successfully
Connection to 123.45.67.89 closed.

Notes

  • This setup also works for unlocking multiple devices with different keys.
  • This solution only works on Debian 10.
  • Warnings by dropbear about lastlog can be ignored as the dropbear binary from Debian does not support the option -m yet.

References