A quick guide on unlocking an encrypted LUKS Debian 11 GNU/Linux Full Disk Encryptioin (except /boot) via Dropbear SSH.
This is useful if you have a remote server that you don’t have physical access, (eg. VPS). Although, there is no guarantee of 100% protection if the adversary has physical system access.
Usually, we unlock our LUKS Boot password with monitor and keyboard, but if you have an offsite server this proves to be a challenge, unless you have a KVM provided by your VPS host or your own Pi-KVM.
In this case, we can unlock the boot time password via SSH using the Dropbear SSH Server.
This guide has been tested on the latest Debian 11.2 GNU/Linux with LUKS encrypted root partition.
$ sudo apt install dropbear-initramfs
...
Unpacking dropbear-initramfs (2020.81-3) ...
Setting up libtommath1:amd64 (1.2.0-6) ...
Setting up libtomcrypt1:amd64 (1.18.2-5) ...
Setting up dropbear-bin (2020.81-3) ...
Setting up dropbear-initramfs (2020.81-3) ...
Generating Dropbear RSA host key. Please wait.
Generating 2048 bit rsa key, this may take a while...
...
We need an existing ssh public key, a post long ago has sample on using public key SSH authentication instead of the old password authentication which can be brute forced.
Basically, copy your public key to the file /etc/dropbear-initramfs/authorized_keys
.
Either using nano
or your favorite editor.
Next, create the configuration for the dropbear. The listen port and timeout.
#
# Configuration options for the dropbear-initramfs boot scripts.
# You must run update-initramfs(8) to effect changes to this file (like
# for other files under the '/etc/dropbear-initramfs' directory).
#
# Command line options to pass to dropbear(8)
#
DROPBEAR_OPTIONS="-I 300 -j -k -p 2222 -s"
# Legend
# -I 300 Disconnect the session if no traffic after 300 seconds
# -j Disable local port forwarding
# -k Disable remote port forwarding
# - p 2222 Listen on port 2222 (to connect via ssh: ssh -p 2222 <IP>)
# -s Disable password logins (Crucial, we only use PubKey authentications)
Now we edit the static IP configuratioin for dropbear:
$ sudo nano /etc/initramfs-tools/initramfs.conf
IP=192.168.255.2::192.168.255.1:255.255.255.0:serverA
Don’t worry on this, dropbear will detect DHCP connection from your router and will issue the IP address. You may want to set the static IP configuration on your Router settings page.
Updating the initramfs to reflect our changes:
$ sudo update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.10.0-10-amd64
Upon restarting the server, you will be prompted enter the luks passphrase and also will see the current IP address of the dropbear server. You can now connect to that IP address via SSH.
$ ssh 192.168.255.2 -p 22222
You will be prompted to enter your private key passphrase and if you supplied the correct credentials, you will see the busybox prompt.
To unlock the LUKS encrypted system, just execute: cryptoroot-unlock
.
Enter your password and the boot sequence will continue.
Sample output:
Enter passphrase for key '/home/user/.ssh/id_rsa':
To unlock root partition, and maybe others like swap, run `cryptroot-unlock`.
BusyBox v1.30.1 (Debian 1:1.30.1-6+b3) built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # cryptroot-unlock
Please unlock disk sda3_crypt:
cryptsetup: sda3_crypt set up successfully
~ # Connection to 192.168.255.2 closed by remote host.
Connection to 192.168.255.2 closed.
We can create an sort of shortcut when loggin in to that server,
Host serverA
HostName 192.168.255.2
User root
port 2222
Note, you still need to type the commands to unlock the boot device.
Reference: https://www.dwarmstrong.org/remote-unlock-dropbear/