Unlock LUKS via SSH in Debian

As already described in my previous post (Headless Debian install via SSH), I am dealing with a headless system. As I am encrypting my system and drives with LUKS, I need a way to enter the password in case of a reboot.

So what is the solution

1. Install Dropbear on the server

apt-get install dropbear

2. Configure initramfs network usage; edit “/etc/initramfs-tools/initramfs.conf”. You probably have to add the lines for dropbear and update the device string.

This configuration is using DHCP to obtain an IP, if you have a static configuration, use:
IP=<SERVER-IP>::<STANDARD-GATEWAY>:<SUBNETMASK>:<HOSTNAME>:eth0:off

# 
# DROPBEAR: [ y | n ]
# 
# Use dropbear if available.
# 

DROPBEAR=y
DEVICE=eth0
IP=:::::eth0:dhcp

3. Delete the standard private and public keys on the server

rm /etc/initramfs-tools/root/.ssh/id_rsa
rm /etc/initramfs-tools/root/.ssh/id_rsa.pub

4. Create your own key pair (we assume you use id_rsa as a name) on your client machine and upload it to the server.

ssh-keygen
scp ~/.ssh/id_rsa.pub myuser@debian_headless:id_rsa.pub

5. Then log in to the server and add the key to authorized_key file an remove the public key on the server.

ssh myuser@debian_headless
sudo sh -c "cat id_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys"
rm id_rsa.pub

6. Now we need to update initramfs and grub

update-initramfs -u -k all
update-grub2

7. On some configurations the network won’t get reconfigured on runtime values, hence we need to trigger an update. Edit “/etc/network/interfaces” and add as first line of the primary interface:

pre-up ip addr flush dev eth0

8. Restart server and log in from your client

ssh -i ~/.ssh/id_rsa root@<server-ip>

9. Set the password to unlock

echo -n "<LUKS encryption password>" > /lib/cryptsetup/passfifo
exit

The server should now boot normally and regular SSH should come up.

Optional: You can also create a little script for the passphrase in “/etc/initramfs-tools/hooks/unlock”

#!/bin/sh
PREREQ=""
 prereqs()
 {
 echo "$PREREQ"
 }
 case $1 in
 prereqs)
 prereqs
 exit 0
 ;;
 esac
. /usr/share/initramfs-tools/hook-functions
cat > "${DESTDIR}/root/unlock" << EOF #!/bin/sh /lib/cryptsetup/askpass 'passphrase: ' > /lib/cryptsetup/passfifo
 EOF
chmod u+x "${DESTDIR}/root/unlock"
exit 0

Do not forget to make it executable

chmod +x /etc/initramfs-tools/hooks/unlock

And update initramfs

update-initramfs -u -k all
update-grub2
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s