Supprimer miscellaneous/full_disk_encryption_remote_unlock_luks.md
This commit is contained in:
Philippe Favre
@@ -1,112 +0,0 @@
|
||||
# Unlocking LUKS with Dropbear SSH Keys Remotely
|
||||
|
||||
## Introduction
|
||||
This guide provides detailed instructions on how to unlock a LUKS-encrypted disk on Linux using Dropbear SSH, especially when you do not have access to the KVM console. This is particularly useful for remote servers where physical access is limited or impossible.
|
||||
|
||||
The system is configured to allow remote unlocking at boot time using the Dropbear SSH server integrated into the system's `initramfs` image. This guide is intended for system administrators who want to improve the accessibility of their remote LUKS-encrypted servers.
|
||||
|
||||
## Prerequisites
|
||||
- A Linux system (Debian, Ubuntu, etc.) using LUKS for disk encryption.
|
||||
- Dropbear installed and configured within the `initramfs` image.
|
||||
- Root access to the server.
|
||||
- An SSH key pair (public/private) for authentication.
|
||||
|
||||
## Configuration Steps
|
||||
|
||||
### 1. Installing Dropbear
|
||||
Install Dropbear using the following command:
|
||||
```sh
|
||||
sudo apt update && sudo apt upgrade
|
||||
sudo apt install dropbear-initramfs
|
||||
```
|
||||
> **Note**: You may see a warning stating that the `authorized_keys` file is invalid. You can safely ignore this warning.
|
||||
|
||||
### 2. Configuring Dropbear
|
||||
Modify the Dropbear configuration file to ensure it is set up correctly at boot time:
|
||||
- Navigate to the configuration directory:
|
||||
```sh
|
||||
cd /etc/dropbear-initramfs
|
||||
```
|
||||
**Or**, for newer versions:
|
||||
```sh
|
||||
cd /etc/dropbear/initramfs
|
||||
```
|
||||
- Edit the configuration file:
|
||||
```sh
|
||||
sudo nano config
|
||||
```
|
||||
**Or**, for newer versions:
|
||||
```sh
|
||||
sudo nano dropbear.conf
|
||||
```
|
||||
- Add or modify the following options:
|
||||
```
|
||||
DROPBEAR_OPTIONS="-I 180 -j -k -p 2222 -s -c cryptroot-unlock"
|
||||
```
|
||||
These options do the following:
|
||||
- Disable password logins.
|
||||
- Specify the SSH port (2222).
|
||||
- Force the execution of `cryptroot-unlock` at boot.
|
||||
|
||||
### 3. Configuring a Static IP (Optional)
|
||||
If your server is located in a data center or an environment where a fixed IP address is required, it is recommended to configure a static IP:
|
||||
- Edit the file `/etc/initramfs-tools/initramfs.conf`:
|
||||
```sh
|
||||
sudo nano /etc/initramfs-tools/initramfs.conf
|
||||
```
|
||||
- Add the static IP configuration:
|
||||
```
|
||||
IP=192.168.2.19::192.168.2.254:255.255.255.0:debian
|
||||
```
|
||||
Where:
|
||||
- **192.168.2.19**: Client IP address.
|
||||
- **192.168.2.254**: Gateway.
|
||||
- **255.255.255.0**: Subnet mask.
|
||||
- **debian**: Hostname of the system.
|
||||
|
||||
### 4. Updating the `initramfs` Image
|
||||
After configuring Dropbear, update the `initramfs` image to include the new configurations:
|
||||
```sh
|
||||
sudo update-initramfs -u -v
|
||||
```
|
||||
- **-u**: Updates an existing `initramfs` image.
|
||||
- **-v**: Increases the verbosity of the output.
|
||||
|
||||
### 5. Creating SSH Keys and Adding to Server
|
||||
To enable remote unlocking, generate an SSH key pair on your local machine and add the public key to the server:
|
||||
|
||||
- Generate an SSH key pair:
|
||||
```sh
|
||||
ssh-keygen -t rsa -f ~/.ssh/intel_nuc_debian
|
||||
```
|
||||
- Add the public key to the server:
|
||||
```sh
|
||||
cat ~/.ssh/intel_nuc_debian.pub | ssh root@192.168.2.19 "cat >> /etc/dropbear-initramfs/authorized_keys"
|
||||
```
|
||||
**Or**, for newer versions:
|
||||
```sh
|
||||
cat ~/.ssh/intel_nuc_debian.pub | ssh root@192.168.2.19 "cat >> /etc/dropbear/initramfs/authorized_keys"
|
||||
```
|
||||
This command adds the public key to the list of authorized keys on the server, allowing authentication through Dropbear.
|
||||
|
||||
## Remote Unlocking
|
||||
Once the configuration is complete, restart your server. Then, use SSH to connect to Dropbear and unlock the LUKS disk:
|
||||
```sh
|
||||
ssh -i ~/.ssh/intel_nuc_debian -p 2222 root@192.168.2.19
|
||||
```
|
||||
This command will automatically run `cryptroot-unlock`, which will unlock the encrypted disk and allow the server to continue the boot process.
|
||||
|
||||
## Security Considerations
|
||||
- **Protect Your Private Key**: Ensure that the generated private key is well-protected, as it allows access to your server and the ability to unlock the disk. Use restrictive permissions (`chmod 600`) on the key file.
|
||||
- **Physical Access**: To enhance security, consider adding other measures like BIOS/UEFI passwords and securing physical access to the server.
|
||||
- **Network Access**: Ensure that network access to port 2222 is restricted to trusted IP addresses only. Use a firewall (such as `ufw` or `iptables`) to limit access.
|
||||
|
||||
## Troubleshooting
|
||||
- **Invalid Key Error**: If you encounter an error indicating that the `authorized_keys` file is invalid, check the file permissions and ensure the copied public key is correct.
|
||||
- **Session Timeout**: If the Dropbear session times out too quickly, adjust the `-I` value in `DROPBEAR_OPTIONS` to increase the allowed inactivity period.
|
||||
|
||||
## References
|
||||
- [Complete Guide on Dropbear SSH and LUKS](https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/)
|
||||
|
||||
---
|
||||
This guide is intended for advanced users with a good understanding of Linux systems and disk encryption. By following these steps, you can ensure secure and convenient access to your remote servers, even when physical access is not possible.
|
||||
Reference in New Issue
Block a user