Remote unlocking LUKS encrypted LVM using Dropbear SSH in Ubuntu

I recently performed a full disk encryption on my server using dm-crypt + LUKS. I did not address remote unlocking of the disk then because I did not know how. Remote unlocking is highly desirable I might not be physically near the server when a restart is necessary.

To remotely unlock the disk, one needs an ssh server running during startup (boot). Then, ssh into the server and unlock the disk with the passphrase. I originally was going to follow this post to perform remote unlocking via early-ssh. However, I couldn’t figure out how to do so. It appears early-ssh is no longer needed as the solution can be easily implemented with Dropbear SSH Server and Busybox in Ubuntu; see the documention at /usr/share/doc/cryptsetup/README.remote.gz.

It took me quite some time to figure out how to set things up. I first had issues with logging into the Dropbear server (normal user accounts won’t work); this post helped me figure out how to log in. Then I had a difficult time with how to unlock the disk once I’m in the server. The solution is elegantly described here and here.

Set up Dropbear SSH Server

sudo apt-get install dropbear busybox ## do not install early-ssh

There is an error in the dropbear hook script in initramfs-tools. To fix it, do

find /lib -name libnss_files.so.2
## me:
#/lib/x86_64-linux-gnu/libnss_files.so.2

At around line 30 in /usr/share/initramfs-toosl/hooks/dropbear, replace =cp lib/libnss_ “${DESTDIR}/lib/”= with =cp lib/x86_64-linux-gnu/libnss_ “${DESTDIR}/lib/”= (if early-ssh is installed, it will give further errors related to this).

Now, run:

update-initramfs -u

Enable the root account in Ubuntu as only the root user can login to Dropbear SSH Server during boot (entire disk is encrypted):

sudo passwd root
## enter root password
## to disable root account:
## sudo passwd -dl root

Now, in your laptop (not server), copy over the private key in order to login to Dropbear SSH Server:

scp user@remote.server:/etc/initramfs-tools/root/.ssh/id_rsa ~/.ssh/remote_dropbear_id_rsa

NOTE: It appears you HAVE to to use the generated private key in order to login. Login with password will not work. I also tried copying my laptop’s public key into the server’s /etc/initramfs-tools/root/.ssh/authorized_keys so that I can use my laptop’s key to login but that did not work. I might have to translate my laptop’s private key to dropbear’s formatin order for it to work. Since I have to use another file regardless, I’ll just use Dropbear’s private key.

Disable root login for OpenSSH as it is unsafe to login as root (we only allow root to login when Dropbear SSH server is running during startup and restrict root all other times):

## change in /etc/ssh/sshd_config
PermitRootLogin no

If I restart the server now, Dropbear SSH Server will run after some time when the system is waiting for the passphrase to unlock the disk. To SSH into the Dropbear server, do:

ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" -i "~/.ssh/remote_dropbear_id_rsa" root@my.server

Remote Unlocking

It appears the original method to unlock the disk does not work with Ubuntu 11.04:

ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" -i "~/.ssh/remote_dropbear_id_rsa" root@my.server "echo -ne "encryptionpassphrase" > /lib/cryptsetup/passfifo"

The error is due to Plymouth. Uninstalling or tinkering with Plymouth could cause other errors (like allowing remote unlocking to work but one loses the ability to unlock in at the server’s physical console). To get remote unlocking to work, follow the manual method described here:

## log into dropbear
ps
## locate the process id (first column) for the /scripts/local-top/cryptroot script
kill -9 pid ## PID from previous
ps
## look for a wait-for-root script and note the timeout on the command line; mine: 30
## wait 30 seconds
/scripts/local-top/cryptroot
## enter passphrase
ps
## locate process ID for /bin/sh -i
kill -9 PID
exit

A more concise command is:

pid=`ps | grep "/scripts/local-top/cryptroot" | cut -d " " -f 3`; kill -9 $pid; sleep 35; /scripts/local-top/cryptroot; pid=`ps | grep "/bin/sh" | cut -d " " -f 3`; kill -9 $pid; exit

The disk should unlock and you can now ssh normally into the server (root not allowed!). YAY!

I’m sure one can automate this last portion using a script. Also, I would like to add a startup script that emails me when the server is waiting for a passphrase. This will be useful if the system restarts due to a power outtage without me knowing.

About Vinh Nguyen

Statistician

11 comments

  1. Hi Vinh,

    I have an application for this, and I would like to hire you to help implement a solution for us.

    Please contact me.

    Thank you,
    Chris Brunner

  2. This is great, just one question — my dropbear client issues a DHCP adress to the server during the unlock prompt. As a result, if I am not looking at the console, I have no way of telling what IP it dynamically generated.

    Do you run into this issue at all?

  3. Pingback: IPMI addon board?
  4. First of all, Thanks for this great tutorial,
    May i add this:

    pid=`ps | grep “/scripts/local-top/cryptroot” | grep -v “grep” | cut -d ” ” -f 3`; kill -9 $pid; sleep 35; /scripts/local-top/cryptroot; pid=`ps | grep “/bin/sh” | grep -v “grep” | cut -d ” ” -f 3`; kill -9 $pid; exit

    This adds two grep statements to skip errors while unlocking.

    Regards

  5. Hi, Thank you so much for your post, I couldn’t have got remote luks unlock working without it!

    I’ve put my version of the wakeup script into a gist for everyone to use: https://gist.github.com/timabell/9568173 – It works on my machine (TM)!

    It sends all the commands from the client machine which suits me better and I’ve integrated Jochar’s extra grep (thanks Jochar!, good call).

    Hope it’s useful to others. I’d love to see this work out-of-the box on linux distros as it’s a useful feature.

    Tim

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>