Unlock LUKS via SSH in Debian

As already described in my previous post (Headless Debian install via SSH), I am dealing with a headless system. As I am encrypting my system and drives with LUKS, I need a way to enter the password in case of a reboot.

So what is the solution

1. Install Dropbear on the server

apt-get install dropbear

2. Configure initramfs network usage; edit “/etc/initramfs-tools/initramfs.conf”. You probably have to add the lines for dropbear and update the device string.

This configuration is using DHCP to obtain an IP, if you have a static configuration, use:

# DROPBEAR: [ y | n ]
# Use dropbear if available.


3. Delete the standard private and public keys on the server

rm /etc/initramfs-tools/root/.ssh/id_rsa
rm /etc/initramfs-tools/root/.ssh/id_rsa.pub

4. Create your own key pair (we assume you use id_rsa as a name) on your client machine and upload it to the server.

scp ~/.ssh/id_rsa.pub myuser@debian_headless:id_rsa.pub

5. Then log in to the server and add the key to authorized_key file an remove the public key on the server.

ssh myuser@debian_headless
sudo sh -c "cat id_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys"
rm id_rsa.pub

6. Now we need to update initramfs and grub

update-initramfs -u -k all

7. On some configurations the network won’t get reconfigured on runtime values, hence we need to trigger an update. Edit “/etc/network/interfaces” and add as first line of the primary interface:

pre-up ip addr flush dev eth0

8. Restart server and log in from your client

ssh -i ~/.ssh/id_rsa root@<server-ip>

9. Set the password to unlock

echo -n "<LUKS encryption password>" > /lib/cryptsetup/passfifo

The server should now boot normally and regular SSH should come up.

Optional: You can also create a little script for the passphrase in “/etc/initramfs-tools/hooks/unlock”

 echo "$PREREQ"
 case $1 in
 exit 0
. /usr/share/initramfs-tools/hook-functions
cat > "${DESTDIR}/root/unlock" << EOF #!/bin/sh /lib/cryptsetup/askpass 'passphrase: ' > /lib/cryptsetup/passfifo
chmod u+x "${DESTDIR}/root/unlock"
exit 0

Do not forget to make it executable

chmod +x /etc/initramfs-tools/hooks/unlock

And update initramfs

update-initramfs -u -k all

Headless Debian install via SSH

Having build a NAS system recently, I realized I do not have any monitors or keyboards at home anymore. Hence installing Debian will be hard.

I looked around and the solution would be a headless install via ssh.

This post is based on some work from S.G. Vulcan’s post Installing Debian using only SSH

His post was a good start, but I only could make it work for a Debian Jessie netinstall image after some changes.

So what is the solution

1. Download the latest netinstall image from Debian, I used “debian-8.3.0-amd64-netinst.iso”

2. Mount the ISO to a folder

mkdir isoorig
mount -o loop -t iso9660 debian-8.3.0-amd64-netinst.iso isoorig

3. Copy to new folder called isonew

mkdir isonew rsync -a -Hexclude=TRANS.TBL isoorig/ isonew

4. Change the menu to load SSH on boot by default, edit isonew/isolinux/txt.cfg


“menu default” from “label install”

Here I changed the vga parameters and adapted the kernel parameters to arm to match my original ISO.

label netinstall
menu label ^Install Over SSH 
menu default
kernel /install.arm/vmlinuz
append auto=true vga=788 file=/cdrom/preseed.cfg initrd=/install.arm/initrd.gz locale=en_US console-keymaps-at/keymap=us


“default install” to “default netinstall”

5. Create isonew/preseed.cfg file

I adapted the locale and keyboard settings for Germany and added the selection of the keyboard-configuration. This would otherwise be an open question during the install and we won’t reach the SSH startup.
Also I added a check for non-free firmware, which popped up on one of my machines which had wireless.

#### Contents of the preconfiguration file
### Localization
# Locale sets language and country.
d-i debian-installer/locale select de_DE
# Keyboard selection.
d-i console-keymaps-at/keymap select de
d-i keyboard-configuration/xkb-keymap select de
### Network configuration
# netcfg will choose an interface that has link if possible. This makes it
# skip displaying a list if there is more than one interface.
d-i netcfg/choose_interface select auto
# Any hostname and domain names assigned from dhcp take precedence over
# values set here. However, setting the values still prevents the questions
# from being shown, even if values come from dhcp.
d-i netcfg/get_hostname string newdebian
d-i netcfg/get_domain string local
# If non-free firmware is needed for the network or other hardware, you can
# configure the installer to always try to load it, without prompting. Or
# change to false to disable asking.
d-i hw-detect/load_firmware boolean true
# The wacky dhcp hostname that some ISPs use as a password of sorts.
#d-i netcfg/dhcp_hostname string radish
d-i preseed/early_command string anna-install network-console
# Setup ssh password
d-i network-console/password password install
d-i network-console/password-again password install

6. Recreate md5sum.txt
md5sum.txt is read only, so you need to change this. Also I had better luck with creating the md5sum.txt with the changed command below.

chmod 666 md5sum.txt
find -follow -type f -exec md5sum {} \; > md5sum.txt
chmod 444 md5sum.txt

7. Create ISO file to burn

xorriso -as mkisofs -D -r -J -joliet-long -l -V "Debian headless" -b isolinux/isolinux.bin -c isolinux/boot.cat -iso-level 3 -no-emul-boot -partition_offset 16 -boot-load-size 4 -boot-info-table -isohybrid-mbr /usr/lib/syslinux/isohdpfx.bin -o ../debian-8.3.0-amd64-netinst-headless.iso ../isonew

xorriso is creating a correct partition table, which is for some reason not done with mkisofs only. If you do not have it installed use “apt-get install xorriso”.
The original command would work in VMs, maybe even on a cd-rom, however not for USB sticks.

8. Use the ISO

The ISO can be burned to an USB stick and used to boot. It will automatically configure the network with DHCP (yes, you need to have a way to find the IP, e.g. on your router) and start SSH.

The user for the ssh connection is “installer” the password is “install”