Debian Jessie encrypted root dropbear unlock

By | February 25, 2017

Remote unlocking of a LUKS encrypted drive has required you to run an additional script once you have remote ssh’d into the machine. I could not find any simpler way to get around that. I have a couple ODROID C2 machines that allow for remote connections to them and they automatically prompt you to unlock the encrypted root drive upon successful connection. (http://forum.odroid.com/viewtopic.php?t=20972)

Since there was nothing documented on performing this for a standard debian jessie installation (non embedded), I wanted to document it here.

You should already know how to setup an encrypted LUKS drive for your system. I just used the encryption in the standard debian jessie installer. After the drive is setup, you need to install the dropbear ssh server.

You should create your SSH public and private keys.

# Create 2048bit openssh files
ssh-keygen -b 2048
# convert to dropbear format
/usr/lib/dropbear/dropbearconvert openssh dropbear id_rsa id_rsa.dropbear

Copy them to the /etc/initramfs-tools/root/.ssh folder. This will allow you to remote into the system without using a password. You can use the dropbearkey executable to create the key file and then convert it to openssh or create the openssh files and then convert it to dropbear files. You need id_rsa, id_rsa.dropbear, and id_rsa.pub files located in this folder.

Configure the /etc/initramfs-tools/intiram.conf file to start the server on startup and assign static ip or use dhcp. Add this code to it to enable dropbear.

# Enable DROPBEAR
DROPBEAR=y

# Enable networking
# To force a specific network device, enter it here
# Example: DEVICE=eth0
#
# To setup network
# Enabling DHCP, use this line
#IP=:::::eth0:dhcp
#
# Manually configure the network card
#IP=:::::eth0:off
IP=192.168.1.10::192.168.1.1:255.255.255.0:vm1:eth0:off

Here are the sites that I referenced:
https://sowhatisthesolution.wordpress.com/2016/03/20/unlock-luks-via-ssh-in-debian/
http://forum.odroid.com/viewtopic.php?t=20972

Once that is setup, you should be able to remote into the system during the bootup when it is prompting for the system/drive unlock password.

Now, with all the other guides, they tell you how to create an unlock script to be installed in the initram so when you remote into the system you can manually run the unlock script to be prompted for the password to unlock the system drive. This is tedious in my opinion and requires too much user interaction. I would prefer to just remote into the system and be automatically prompted for the unlock password and then be automatically disconnected once the password is entered. That’s what this next part will describe how to do.

I got the method from this blog posting. https://github.com/NicoHood/NicoHood.github.io/wiki/Raspberry-Pi-Encrypt-Root-Partition-Tutorial

The main thing to do to achieve the simple remote unlocking is to edit the /etc/initramfs-tools/root/.ssh/authorized_keys file and add this to the beginning of the file.
command="/scripts/local-top/cryptroot && kill -9 `ps | grep -m 1 'cryptroot' | cut -d ' ' -f 3` && exit"
Here is an example file with this added to it:

command="/scripts/local-top/cryptroot && kill -9 `ps | grep -m 1 'cryptroot' | cut -d ' ' -f 3` && exit" ssh-rsa KEY_REMOVED_FOR_EXAMPLE root@HOST

After the file is saved, you need to update the initramfs and possibly update grub as well. These commands will do that:

# Update the initramfs
update-initramfs -u -k all
# Update grub
update-grub2

Now, you should be able to reboot your system and remote into it using ssh-keys and then unlock the system drive.

Leave a Reply

Your email address will not be published. Required fields are marked *