Remote unlocking LUKS encrypted LVM using Dropbear SSH in Ubuntu

Linux
Security
Author

Vinh Nguyen

Published

September 13, 2011

I recently performed a full disk encryption on my server using dm-crypt + LUKS. I did not address remote unlocking of the disk then because I did not know how. Remote unlocking is highly desirable I might not be physically near the server when a restart is necessary.

To remotely unlock the disk, one needs an ssh server running during startup (boot). Then, ssh into the server and unlock the disk with the passphrase. I originally was going to follow this post to perform remote unlocking via early-ssh. However, I couldn't figure out how to do so. It appears early-ssh is no longer needed as the solution can be easily implemented with Dropbear SSH Server and Busybox in Ubuntu; see the documention at /usr/share/doc/cryptsetup/README.remote.gz.

It took me quite some time to figure out how to set things up. I first had issues with logging into the Dropbear server (normal user accounts won't work); this post helped me figure out how to log in. Then I had a difficult time with how to unlock the disk once I'm in the server. The solution is elegantly described here and here.

Set up Dropbear SSH Server

sudo apt-get install dropbear busybox ## do not install early-ssh

There is an error in the dropbear hook script in initramfs-tools. To fix it, do

find /lib -name libnss_files.so.2
## me:
#/lib/x86_64-linux-gnu/libnss_files.so.2

At around line 30 in /usr/share/initramfs-toosl/hooks/dropbear, replace cp /lib/libnss_/ "${DESTDIR}/lib/" with cp /lib/x86_64-linux-gnu/libnss_/ "${DESTDIR}/lib/" (if early-ssh is installed, it will give further errors related to this).

Now, run:

update-initramfs -u

Enable the root account in Ubuntu as only the root user can login to Dropbear SSH Server during boot (entire disk is encrypted):

sudo passwd root
## enter root password
## to disable root account:
## sudo passwd -dl root

Now, in your laptop (not server), copy over the private key in order to login to Dropbear SSH Server:

scp user@remote.server:/etc/initramfs-tools/root/.ssh/id_rsa ~/.ssh/remote_dropbear_id_rsa

NOTE: It appears you HAVE to to use the generated private key in order to login. Login with password will not work. I also tried copying my laptop's public key into the server's /etc/initramfs-tools/root/.ssh/authorized_keys so that I can use my laptop's key to login but that did not work. I might have to translate my laptop's private key to dropbear's formatin order for it to work. Since I have to use another file regardless, I'll just use Dropbear's private key.

Disable root login for OpenSSH as it is unsafe to login as root (we only allow root to login when Dropbear SSH server is running during startup and restrict root all other times):

## change in /etc/ssh/sshd_config
PermitRootLogin no

If I restart the server now, Dropbear SSH Server will run after some time when the system is waiting for the passphrase to unlock the disk. To SSH into the Dropbear server, do:

ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" -i "~/.ssh/remote_dropbear_id_rsa" root@my.server

Remote Unlocking

It appears the original method to unlock the disk does not work with Ubuntu 11.04:

ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" -i "~/.ssh/remote_dropbear_id_rsa" root@my.server "echo -ne "encryptionpassphrase" > /lib/cryptsetup/passfifo"

The error is due to Plymouth. Uninstalling or tinkering with Plymouth could cause other errors (like allowing remote unlocking to work but one loses the ability to unlock in at the server's physical console). To get remote unlocking to work, follow the manual method described here:

## log into dropbear
ps
## locate the process id (first column) for the /scripts/local-top/cryptroot script
kill -9 pid ## PID from previous
ps
## look for a wait-for-root script and note the timeout on the command line; mine: 30
## wait 30 seconds
/scripts/local-top/cryptroot
## enter passphrase
ps
## locate process ID for /bin/sh -i
kill -9 PID
exit

A more concise command is:

pid=`ps | grep "/scripts/local-top/cryptroot" | cut -d " " -f 3`; kill -9 $pid; sleep 35; /scripts/local-top/cryptroot; pid=`ps | grep "/bin/sh" | cut -d " " -f 3`; kill -9 $pid; exit

The disk should unlock and you can now ssh normally into the server (root not allowed!). YAY!

I'm sure one can automate this last portion using a script. Also, I would like to add a startup script that emails me when the server is waiting for a passphrase. This will be useful if the system restarts due to a power outtage without me knowing.