Remote LUKS unlock

Unlocking your Ubuntu workstation/server locally OR remotely

2015-10-25 sysadmin

On Ubuntu, the FDE (full disk encryption) setup is very straight forward but it’s useful to be able to unlock remotely while on the road when you need to restart your workstation. Here’s how:

First, backup your LUKS header; then do the following:

# Install dropbear
sudo apt-get install dropbear

# Stop dropbear from starting on normal boot.
sudo update-rc.d -f dropbear remove
# Is not necessary if OpenSSH was already installed.
sudo sed -i -e 's/NO_START=0/NO_START=1/' /etc/default/dropbear

# Remove the keys it created, we won't use them.
sudo rm /etc/initramfs-tools/root/.ssh/id_rsa.*
sudo rm -f /etc/dropbear/dropbear_{rsa,dss,ecdsa}_host_key
# Copy back the host key back to initramfs so ssh clients are not confused.
sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
# Sadly, dropbear on Ubuntu 14.04 doesn't support ECDSA. The other option is
# to remove the OpenSSH ECDSA key, which is somewhat gross.
sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key
sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
# Allows user's ssh key to ssh into boot.
sudo cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/

# Create the unlock script.
# Copy the code from https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/
sudo vi /etc/initramfs-tools/hooks/crypt_unlock.sh
sudo chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

# Update the initramfs boot partition.
sudo update-initramfs -u

When unlocking, use ssh root@<hostname> instead of using your normal account. It’ll use the same host key so no need to hack .ssh/config with UserKnownHostsFile as other guides propose.

Notes

This still allows unlocking at the console!
- There’s some junk that will be printed on the console but you can safely ignore it.
I left our IP manipulation, as I’m in the camp that you should do it at the DHCP server.
- Keep dhcp based IP and do not reset the network afterward. I haven’t experienced the need for this.
ssh key: Use my current ssh key instead of the one generated by dropbear.
- I have my ssh key with me but will likely forget to copy the dropbear one while on the road, which defeats the whole point.
- id_rsa_dropbear and id_rsa generated by dropbear is NOT encrypted with a passphrase. Yo Dawg for safety.
- Copying back the host key removes the confusion for the ssh client when connecting to the host and being presented a different host key in boot mode.

References

This post was inspired by a lot of other great posts:

https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/ for handling a static IP.
- https://unix.stackexchange.com/questions/5017/ssh-to-decrypt-encrypted-lvm-during-headless-server-boot for a more concise summary of the above.
https://github.com/chadoe/luks-triple-unlock about using a key hosted on an USB key.
https://askubuntu.com/q/620136 about ECDSA support.
https://matt.ucc.asn.au/dropbear/dropbear.html notes that Debian and Ubuntu use outdated package. Oh well.
https://github.com/Val/dedibox_fully_encrypted_debian_install for idea about copying all host keys.