Remote LUKS unlock

Unlocking your Ubuntu workstation/server locally OR remotely
2015-10-25 sysadmin

On Ubuntu, the FDE (full disk encryption) setup is very straight forward but it’s useful to be able to unlock remotely while on the road when you need to restart your workstation. Here’s how:

First, backup your LUKS header; then do the following:

# Install dropbear
sudo apt-get install dropbear

# Stop dropbear from starting on normal boot.
sudo update-rc.d -f dropbear remove
# Is not necessary if OpenSSH was already installed.
sudo sed -i -e 's/NO_START=0/NO_START=1/' /etc/default/dropbear

# Remove the keys it created, we won't use them.
sudo rm /etc/initramfs-tools/root/.ssh/id_rsa.*
sudo rm -f /etc/dropbear/dropbear_{rsa,dss,ecdsa}_host_key
# Copy back the host key back to initramfs so ssh clients are not confused.
sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
# Sadly, dropbear on Ubuntu 14.04 doesn't support ECDSA. The other option is
# to remove the OpenSSH ECDSA key, which is somewhat gross.
sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key
sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
# Allows user's ssh key to ssh into boot.
sudo cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/

# Create the unlock script.
# Copy the code from
sudo vi /etc/initramfs-tools/hooks/
sudo chmod +x /etc/initramfs-tools/hooks/

# Update the initramfs boot partition.
sudo update-initramfs -u

When unlocking, use ssh root@<hostname> instead of using your normal account. It’ll use the same host key so no need to hack .ssh/config with UserKnownHostsFile as other guides propose.



This post was inspired by a lot of other great posts: