Remotely unlock an encrypted Linux server using Dropbear

Last edited on 2023-08-03 Tagged under  #ssh   #network   #debian   #linux   #encrypt   #server 

When I use LUKS to encrypt the root partition on my Linux server, I need to supply the crypt passphrase at boot to unlock the system for startup to continue and get to login. All well and good if I'm sitting in front of the machine with a keyboard and display. But what if it's a headless server? Or located in a remote location?

Enter Dropbear. Install this tiny SSH server into the server's initramfs, and use SSH keys to login from a client at boot and unlock.

1. Setup

  • SERVER is running Debian; hostname foobox
  • Package openssh-server is installed on SERVER
  • Remote logins using SSH keys is enabled; password logins are disabled
  • Unlock and access SERVER from a Linux CLIENT

2. On the SERVER and the CLIENT: Secure access using SSH keys

Configure remote access to the target device using SSH keys, and disable password logins. Read more

3. On the SERVER: Install dropbear

sudo apt install dropbear-initramfs

This generates a warning message:

dropbear: WARNING: Invalid authorized_keys file, SSH login to initramfs won't work!

We'll fix that in the next steps by creating a new authorized_keys file and adding the CLIENT SSH key.

4. On the CLIENT: Create a new "unlock" SSH key

The version of Dropbear packaged in Debian does not support ed25519 keys. Use rsa.

Generate an SSH key specifically for Dropbear running on SERVER:

ssh-keygen -t rsa -f ~/.ssh/unlock_remote

Copy the newly-generated public key to SERVER:

scp ~/.ssh/unlock_remote.pub foobox:~/

5. On the SERVER: Add key

Login to SERVER.

Add the public key to /etc/dropbear/initramfs/authorized_keys:

sudo sh -c 'cat unlock_remote.pub > /etc/dropbear/initramfs/authorized_keys'

Change file permissions:

sudo chmod 600 /etc/dropbear/initramfs/authorized_keys

6. On the SERVER: Configure dropbear.conf

Edit /etc/dropbear/initramfs/dropbear.conf:

DROPBEAR_OPTIONS="-I 600 -j -k -p 2222 -s"

Options used:

  • Disconnect the session if no traffic is transmitted or received for 600 seconds: -I 600
  • Disable local port forwarding: -j
  • Disable remote port forwarding: -k
  • Listen on port 2222: -p 2222
  • Disable password logins: -s

7. On the SERVER: Configure initramfs.conf

NOTE: This setup is for making connections over wired ethernet. For wireless connections, see: Enable Wireless networks in Debian initramfs

Edit /etc/initramfs-tools/initramfs.conf. Example:

IP=192.168.1.23::192.168.1.1:255.255.255.0:foobox

Options used:

  • SERVER IP address (note the double colon): 192.168.1.23::
  • Gateway IP address: 192.168.1.1:
  • Subnet mask: 255.255.255.0:
  • SERVER hostname: foobox

NOTE: If you have more than one network interface, append the desired interface name to the IP= line above (example: IP=...:foobox:eth02).

Update initramfs whenever making changes to /etc/dropbear-initramfs/config or /etc/initramfs-tools/initramfs.conf:

sudo update-initramfs -u -k all

Link: HOWTO Set Static IP on boot in initramfs for Dropbear

8. On the CLIENT: Login to dropbear

Reboot SERVER.

Login using SSH and:

  • Enter the SSH key passphrase
  • At the prompt, run command cryptroot-unlock
  • Enter the LUKS passphrase to unlock encrypted root partition (example: sda3_crypt)

Example login:

$ ssh -i ~/.ssh/unlock_remote -p 2222 -o "HostKeyAlgorithms ssh-rsa" root@192.168.1.23
Enter passphrase for key '/home/foo/.ssh/unlock_remote': 
To unlock root partition, and maybe others like swap, run `cryptroot-unlock`.


BusyBox v1.35.0 (Debian 1:1.35.0-4+b3) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # cryptroot-unlock 
Please unlock disk sda3_crypt: 
cryptsetup: sda3_crypt set up successfully
~ # Connection to 192.168.1.23 closed by remote host.
Connection to 192.168.1.23 closed.

SERVER resumes the boot sequence.

9. On the CLIENT: Create alias

Create an SSH alias for unlocking SERVER in ~/.ssh/config:

#: foobox - unlock server at boot
Host unlock-foobox
  Hostname 192.168.1.23
  User root
  Port 2222
  IdentityFile ~/.ssh/unlock_remote
  HostKeyAlgorithms ssh-rsa
  RequestTTY yes
  RemoteCommand cryptroot-unlock

With an alias, a simple ssh unlock-foobox and entering the correct passphrase will do the trick:

$ ssh unlock-foobox
Please unlock disk sda3_crypt: 
cryptsetup: sda3_crypt set up successfully
Connection to 192.168.1.23 closed.

Enjoy!

Thanks for reading! Read other posts?

» Next: A backup you don't have to think about is a backup that gets done

« Previous: Virtualization using KVM + QEMU + libvirt