Remotely unlock a LUKS-encrypted Linux server using Dropbear
When I use LUKS to encrypt the root partition on my Linux server, I need to supply the crypt passphrase at boot to unlock the system for startup to continue and get to login. All well and good if I'm sitting in front of the machine with a keyboard and display. But what if it's a headless server? Or located in a remote location?
Enter Dropbear. Install this tiny SSH server into the server's initramfs, and use SSH keys to login from a client at boot and unlock.
Setup
- Server is running Debian 12; hostname
foobox - Server has the
openssh-serverpackage installed and configured - Access and unlock the server using a Linux client device
1. On the server: Install dropbear
$ sudo apt install dropbear-initramfs
This generates a warning message ...
dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!
Fix that in the next steps by creating a new authorized_keys file and adding the client's SSH key.
2. Keys
The version of Dropbear packaged in Debian does not support ed25519 keys. Use rsa.
2.1 On the client: Generate key
Generate an SSH key for Dropbear ...
$ ssh-keygen -t rsa -f ~/.ssh/unlock_luks
2.2 On the client: Upload key
Copy the newly-generated public key to the server ...
$ scp ~/.ssh/unlock_luks.pub foobox:~/
2.3 On the server: Add key
Login to server.
Add the public key to /etc/dropbear/initramfs/authorized_keys ...
$ sudo sh -c 'cat unlock_luks.pub >> /etc/dropbear/initramfs/authorized_keys'
Change the file permissions ...
$ sudo chmod 600 /etc/dropbear/initramfs/authorized_keys
3. Dropbear.conf
Edit /etc/dropbear/initramfs/dropbear.conf ...
DROPBEAR_OPTIONS="-I 600 -j -k -p 2222 -s"
Dropbear options:
-I 600# Disconnect the session if no traffic is transmitted or received for 600 seconds-j# Disable local port forwarding-k# Disable remote port forwarding-p 2222# Listen on port 2222-s# Disable password logins
4. Initramfs.conf
Note: This setup is for making connections over wired ethernet. For wireless connections, see: Enable Wireless networks in Debian initramfs
Edit /etc/initramfs-tools/initramfs.conf. Example ...
IP=192.168.1.25::192.168.1.1:255.255.255.0:foobox
IP options:
192.168.1.25-- Server IP address; note the double colon192.168.1.1-- Gateway IP address255.255.255.0-- Subnet maskfoobox-- Server hostname
Note: If you have more than one network interface, append the desired interface name to the IP= line above (example: IP=...:foobox:eth02).
Update initramfs whenever making changes to /etc/dropbear-initramfs/config or /etc/initramfs-tools/initramfs.conf ...
$ sudo update-initramfs -u -k all
Link: HOWTO Set Static IP on boot in initramfs for Dropbear
5. Login
Reboot server, then:
- Login via ssh
- Enter the ssh key passphrase
- At the prompt, run command
cryptroot-unlock - Enter the LUKS passphrase to unlock encrypted root partition
$ ssh -i ~/.ssh/unlock_luks -p 2222 -o "HostKeyAlgorithms ssh-rsa" root@192.168.0.50
Enter passphrase for key '/home/foo/.ssh/unlock_luks':
To unlock root partition, and maybe others like swap, run `cryptroot-unlock`.
BusyBox v1.30.1 (Debian 1:1.30.1-6+b3) built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # cryptroot-unlock
...
System finishes the boot sequence.
6. Alias
Create an ssh alias for unlocking the server in the client's ~/.ssh/config ...
#: foobox - unlock server at boot
Host unlock-foobox
Hostname 192.168.0.50
User root
Port 2222
IdentityFile ~/.ssh/unlock_luks
HostKeyAlgorithms ssh-rsa
RequestTTY yes
RemoteCommand cryptroot-unlock
Then a simple ssh unlock-foobox and entering the correct passphrases for the SSH key followed by the encrypted partition (example: sda3_crypt) will do the trick ...
$ ssh unlock-foobox
Please unlock disk sda3_crypt:
cryptsetup: sda3_crypt set up successfully
Connection to 192.168.0.50 closed.
$
You can like, share, or comment on this post on Mastodon 💬
» Next: #25. Space CPU
« Previous: Create a multiboot Linux USB installer with Ventoy