blob: 17f5f3be69c4a065061726702be402e4c619250b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
---
title: 'Unlocking a LUKS partition on boot via SSH on Debian'
description: 'A convenient mechanism'
date: '2025-03-07'
tags:
- Debian
---
## Introduction
This article explains how to setup an SSH server intramfs unlock mechanism for a
root filesystem encrypted with LUKS. I have been using this for years but never
documented it!
I am used to the comfort of unlocking the partition thanks to an SSH server
embedded in the initramfs. This setup has the security flaw that the initramfs
could be replaced by a malicious party, but this is not something I am overly
concerned about for my personal stuff so please ignore it.
## Configuration
All this relies on embedding an SSH server inside the initramfs:
``` shell
apt update -qq
apt install dropbear-initramfs -y
```
The dropbear SSH server offers some configuration options through its command line:
``` shell
printf '%s' 'DROPBEAR_OPTIONS="-I 600 -j -k -p 2222 -s -E -m -c /bin/cryptroot-unlock"' >>/etc/dropbear/initramfs/dropbear.conf
printf '%s' 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILOJV391WFRYgCVA2plFB8W8sF9LfbzXZOrxqaOrrwco' >/etc/dropbear/initramfs/authorized_keys
```
Here I set:
- `-I 600`: idle timeout of 10 minutes
- `-j -k`: disable local and remote port forwarding
- `-p 2222`: request port 2222
- `-s`: disable password logins so that only ssh key authentication is available
- `-E`: log to stderr (syslog is not available at this point in the boot process)
- `-m`: disable motd
- `-c /bin/cryptroot-unlock`: enforce a single command, no open shell
A personal preference of mine is to forego the predictable network interface
naming of modern Linux. You can omit this step if you are fine with using
`enp0s3` instead of the simple `eth0`:
``` shell
printf '%s' 'GRUB_CMDLINE_LINUX="net.ifnames=0"' >> /etc/default/grub
update-grub
```
Since this is a server I configure networking statically on this host. Sadly
this initramfs component does not support IPv6 yet:
``` shell
printf '%s' 'IP=37.187.244.19::37.187.244.1:255.255.0.0:myth:eth0' >>/etc/initramfs-tools/initramfs.conf
update-initramfs -k all -u
```
The syntax is a bit obtuse but here are the components of this line that are separated by colons:
- `37.187.244.19`: IP address of the server
- empty: IP address of an NFS server, remnant of network boot protocols that you
are unlikely to be using
- `37.187.244.1`: Gateway of the server
- `255.255.255.0`: Netmask of the server. Since this initramfs network
configuration system does not support gateway on link routing, the netmask
needs to be big enough to encompass your IP address and the one of your
gateway. For example for another host with IP address `51.77.159.16` and
gateway `51.77.156.1`, I need a `255.255.252.0` netmask.
- `myth`: hostname of the server
- `eth0`: interface to bring up
## Conclusion
With all this done, I can reboot a server and remote unlock it without having to
open the providers webui and use their clunky virtual KVM interface!
|
