How to unlock LUKS using Dropbear SSH keys remotely in Linux

On Linux, we encrypt our partitions and entire disk using Linux Unified Key Setup-on-disk-format (LUKS) for security and privacy reasons. We unlock LUKS protected disk by providing a passphrase at boot time. You need to be in front of your computer or use a remote console to open the encrypted disk under Linux at boot time. However, if your system is in the basement, remote datacenter/office, or upstairs office, you won’t able to unlock and boot your Linux box. We can use the Dropbear SSH server for LUKS encrypted Debian or Ubuntu or any other Linux distro via SSH to solve this problem. Let us see how to unlock LUKS using Dropbear SSH keys in Linux at boot time.

ADVERTISEMENTS

Why use and unlock LUKS encrypted root and boot disk using Dropbear ssh?

  • Useful for a remote Linux server or cloud server
  • Boot and gain access to your box when you don’t have a remote KVM console.
  • In other words we can boot Linux server when you don’t have a keyboard and screen attached to your box.

What is the Dropbear SSH server?

Dropbear is a free and open-source SSH server created explicitly for embedded Linux and Unix systems with low resource requirements. It implements version 2 of the Secure Shell (SSH) protocol. It supports RSA and elliptic curve cryptography for key exchange. Dropbear is compatible with OpenSSH ~/.ssh/authorized_keys public key authentication. I am assuming that you already installed Debian or Ubuntu Linux with LVM and LUKS. Here is my set up where I have software RAID-1 too:

  1. /boot/efi – The system boot partition is created when your motherboard runs UEFI rather than BIOS.
  2. /dev/md0 – Linux /boot/ (RAID-1 /dev/md0 mounted into /boot/) directory holds only the files needed during the boot process. The boot loader initialized RAM disk called initrd. We use update-initramfs to hook our Dropbear ssh server into the boot process. Run the ls command to look into /boot/ directory. You will see the files as follows:
    ls -1 /boot/*$(uname -r)*
    /boot/config-4.19.0-13-amd64
    /boot/initrd.img-4.19.0-13-amd64
    /boot/System.map-4.19.0-13-amd64
    /boot/vmlinuz-4.19.0-13-amd64

    vmlinuz is my Linux kernel, and initrd contains Linux drivers, RAID support, Dropbear ssh server, and other stuff to boot the Linux system.
  3. /dev/md1 – My LUKS encrypted system RAID-1 device. It has two LVM members. One for swap and another for the root partition. In other words, all data is encrypted except /boot/efi and /boot/ partition. It is also possible to encrypt /boot/. Remember your security and threat model is different, so you may want to employ additional protection such as BIOS/UEFI password on boot, securing your home/office/datacenter access, enabling FDE as per your needs so on.

My sample set up for remote unlocking of LUKS-encrypted root in Ubuntu/Debian

Run the lsblk command to see the current disks, RAID, encryption and LVM info:
# lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT

We can also use the cat command to identity encrypted partitions:
sudo cat /etc/crypttab
Here is what I see:

md1_crypt UUID=45b8c33e-a710-4062-b98f-a32a45c9d947 none luks,discard

My Linux os version and Linux kernal version in production as follows:
lsb_release -a && uname -mrs
Sample outputs:

No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster
Linux 4.19.0-13-amd64 x86_64

Enough talk. Let us get our hands dirty and see how to decrypt LUKS devices remotely via Dropbear SSH.

Step to unlock LUKS using Dropbear SSH keys in Linux

I will install the Dropbear ssh for my LUKS encrypted Debian 10.x and Ubuntu 20.04 LTS server and enable remote unlocking.

Step 1 – Installing the Dropbear on Debian or Ubuntu

Run the apt command/apt-get command as follows:
## First, apply Debian security patches ##
sudo apt update
sudo apt upgrade
sudo apt install dropbear-initramfs

NOTE: You may see a warning such as “dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!“. Just ignore it.

Step 2 – Configuring the Dropbear to unlock LUKS encrypted system

Use the su command or sudo command to become root user:
sudo -i
Cd into /etc/dropbear-initramfs using the cd command:
cd /etc/dropbear-initramfs
Edit the config file:
# vim config
Edit/Update DROPBEAR_OPTIONS as follows:
DROPBEAR_OPTIONS="-I 180 -j -k -p 2222 -s"
Where options are follows:

  1. -I 180 : Disconnect the session if no traffic is transmitted or received in 180 seconds.
  2. -j : Disable ssh local port forwarding.
  3. -k : Also disable remote port forwarding.
  4. -p 2222 : Listen Dropbear ssh server on specified address and TCP port. If just a port such as 2222 is given listen on all addresses. up to 10 can be specified (default 22 if none specified).
  5. -s : Disable password logins. We are going set up SSH Keys on a Linux / Unix system for authentication to reduce attack surface.

Step 3 – Configuring static IP

For a local Linux server in your basement, you can probably figure out the IP given to Dropbox via your DHCP server, which is the default behavior. However, a remote server in a data center or a cloud needs a public IP address like a normal OpenSSH session. Here is how to set up a public IP address. Edit the /etc/initramfs-tools/initramfs.conf
# vim /etc/initramfs-tools/initramfs.conf
Append staic IP info for your Dropbear ssh during boot time:
IP=192.168.2.19::192.168.2.254:255.255.255.0:debian
Where:

  1. IP= – Start static IP config
  2. :: – Field seprator
  3. 192.168.2.19 – IPv4
  4. 192.168.2.254 – Gateway
  5. 255.255.255.0 – Netmask
  6. debian – Hostname

The full syntax is as follows for IPv4 and IPv6 staitc IP settings:

ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:
   <dns-server-0-ip>:<dns-server-1-ip>:<ntp0-ip>

Step 4 – Updating or generating an initramfs image

We use the update-initramfs script manages your initramfs images on your local box whenever we make changes to /etc/initramfs-tools/initramfs.conf or /etc/dropbear-initramfs/config:
sudo update-initramfs -u
sudo update-initramfs -u -v

The -u option updates an existing initramfs and the -v option increases the amount of information you are given during the chosen action.

Step 5 – Creating SSH keys for log in

Let us get back to our desktop clients such as macOS, *BSD, or Linux based distro. Open the terminal and then type following command to set up SSH public key based authentication:
{client}$ ssh-keygen -t rsa -f ~/.ssh/intel_nuc_debian
Copy your desktop clien’t public key ~/.ssh/intel_nuc_debian.pub into /etc/dropbear-initramfs/authorized_keys one key per line:
{client}$ cat ~/.ssh/intel_nuc_debian.pub
If root ssh access enabled, try:
{client}$ cat ~/.ssh/intel_nuc_debian.pub | ssh root@192.168.2.176 "cat >> /etc/dropbear-initramfs/authorized_keys"
For normal user try:
{client}$ scp ~/.ssh/intel_nuc_debian.pub vivek@192.168.2.176:~/key.pub
{client}$ ssh vivek@192.168.2.176
{server}$ sudo -i
{server}# cat /home/vivek/key.pub >> /etc/dropbear-initramfs/authorized_keys
{server}# rm /home/vivek/key.pub
{server}# exit
{server}$ exit

Make sure we update our initrd:
{server}$ sudo update-initramfs -u

Step 6 – Test Linux server when we enable LUKS remote unlocking

So far, so good. We installed Dropbear ssh for initramfs. Configured Dropbear initramfs, including static IP. Installed ssh keys, and it is time to reboot the Linux server:
{server}$ sudo reboot

Unlocking LUKS volumes using ssh

Use the ping command to verify connectivity:
{client}$ ping 192.168.2.19
Let us log in using the ssh command:
{client}$ ssh -i ~/.ssh/intel_nuc_debian -p 2222 -o "HostKeyAlgorithms ssh-rsa" root@192.168.2.19
Unlock it, run:
# cryptroot-unlock

Click to enlarge

Summing up

And there you have it, LUKS disk unlocked remotely using ssh with the help of the Dropbear ssh server. You may want to set up OpenSSH Config file to avoid typing long ssh command.

This entry is 4 of 4 in the The Linux Unified Key Setup (LUKS) is a disk encryption Tutorial series. Keep reading the rest of the series:
  1. Linux Hard Disk Encryption With LUKS
  2. Backup and restore LUKS header on Linux
  3. Change LUKS disk encryption passphrase on Linux
  4. Unlock LUKS using Dropbear SSH keys remotely in Linux

🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • sebastian Jan 7, 2021 @ 7:00

    Thanks for your tutorial, it might be handy for me in the future.

    One question though: how can dropbear read the authorized public key, after you copied it, e.g.

    cat /home/vivek/key.pub >> /etc/dropbear-initramfs/authorized_keys

    don’t we need another

    sudo update-initramfs -u

    I assume your whole root partition including /etc is LUKS encrypted and can’t be read by dropbear?

    Thanks!

    • 🐧 Vivek Gite Jan 7, 2021 @ 7:49

      yes every time you make change you need to run
      sudo update-initramfs -u

      /etc is encrypted but we put authorized_keys along with Dropbear ssh in /boot/initrd* file. /boot/ is currently not encrypted. However, we can encrypt /boot/ too and it requires additional grub+system config.

  • BinaryShrub Jan 7, 2021 @ 21:56

    I wrote a whole guide on this here if you’re interested: https://github.com/BinaryShrub/ubuntu-btrfs-luks/blob/master/README.md

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz