lapatatedouce/scripts-admin-debian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f83faafe95c7e69c4d1bc98a440c9c39a264bb3a
scripts-admin-debian/miscellaneous/full_disk_encryption_remote_unlock_luks.md
Philippe Favre d050afd31f vim text replacement with nano.
2024-10-21 19:02:23 +02:00

4.9 KiB
Raw Blame History

Unlocking LUKS with Dropbear SSH Keys Remotely

Introduction

This guide provides detailed instructions on how to unlock a LUKS-encrypted disk on Linux using Dropbear SSH, especially when you do not have access to the KVM console. This is particularly useful for remote servers where physical access is limited or impossible.

The system is configured to allow remote unlocking at boot time using the Dropbear SSH server integrated into the system's initramfs image. This guide is intended for system administrators who want to improve the accessibility of their remote LUKS-encrypted servers.

Prerequisites

  • A Linux system (Debian, Ubuntu, etc.) using LUKS for disk encryption.
  • Dropbear installed and configured within the initramfs image.
  • Root access to the server.
  • An SSH key pair (public/private) for authentication.

Configuration Steps

1. Installing Dropbear

Install Dropbear using the following command:

sudo apt update && sudo apt upgrade
sudo apt install dropbear-initramfs

Note

: You may see a warning stating that the authorized_keys file is invalid. You can safely ignore this warning.

2. Configuring Dropbear

Modify the Dropbear configuration file to ensure it is set up correctly at boot time:

  • Navigate to the configuration directory: 
    cd /etc/dropbear-initramfs
    Or, for newer versions: 
    cd /etc/dropbear/initramfs
  • Edit the configuration file: 
    sudo nano config
    Or, for newer versions: 
    sudo nano dropbear.conf
  • Add or modify the following options: 
    DROPBEAR_OPTIONS="-I 180 -j -k -p 2222 -s -c cryptroot-unlock"
    These options do the following:
    • Disable password logins.
    • Specify the SSH port (2222).
    • Force the execution of cryptroot-unlock at boot.

3. Configuring a Static IP (Optional)

If your server is located in a data center or an environment where a fixed IP address is required, it is recommended to configure a static IP:

  • Edit the file /etc/initramfs-tools/initramfs.conf: 
    sudo nano /etc/initramfs-tools/initramfs.conf
  • Add the static IP configuration: 
    IP=192.168.2.19::192.168.2.254:255.255.255.0:debian
    Where:
    • 192.168.2.19: Client IP address.
    • 192.168.2.254: Gateway.
    • 255.255.255.0: Subnet mask.
    • debian: Hostname of the system.

4. Updating the initramfs Image

After configuring Dropbear, update the initramfs image to include the new configurations:

sudo update-initramfs -u -v
  • -u: Updates an existing initramfs image.
  • -v: Increases the verbosity of the output.

5. Creating SSH Keys and Adding to Server

To enable remote unlocking, generate an SSH key pair on your local machine and add the public key to the server:

  • Generate an SSH key pair: 
    ssh-keygen -t rsa -f ~/.ssh/intel_nuc_debian
  • Add the public key to the server: 
    cat ~/.ssh/intel_nuc_debian.pub | ssh root@192.168.2.19 "cat >> /etc/dropbear-initramfs/authorized_keys"
    Or, for newer versions: 
    cat ~/.ssh/intel_nuc_debian.pub | ssh root@192.168.2.19 "cat >> /etc/dropbear/initramfs/authorized_keys"
    This command adds the public key to the list of authorized keys on the server, allowing authentication through Dropbear.

Remote Unlocking

Once the configuration is complete, restart your server. Then, use SSH to connect to Dropbear and unlock the LUKS disk:

ssh -i ~/.ssh/intel_nuc_debian -p 2222 root@192.168.2.19

This command will automatically run cryptroot-unlock, which will unlock the encrypted disk and allow the server to continue the boot process.

Security Considerations

  • Protect Your Private Key: Ensure that the generated private key is well-protected, as it allows access to your server and the ability to unlock the disk. Use restrictive permissions (chmod 600) on the key file.
  • Physical Access: To enhance security, consider adding other measures like BIOS/UEFI passwords and securing physical access to the server.
  • Network Access: Ensure that network access to port 2222 is restricted to trusted IP addresses only. Use a firewall (such as ufw or iptables) to limit access.

Troubleshooting

  • Invalid Key Error: If you encounter an error indicating that the authorized_keys file is invalid, check the file permissions and ensure the copied public key is correct.
  • Session Timeout: If the Dropbear session times out too quickly, adjust the -I value in DROPBEAR_OPTIONS to increase the allowed inactivity period.

References

This guide is intended for advanced users with a good understanding of Linux systems and disk encryption. By following these steps, you can ensure secure and convenient access to your remote servers, even when physical access is not possible.