elibaum.com

LUKS decrypt over ssh

13 Dec 2020

If you’re using LUKS encryption for your system drive, there’s no way, by default, to unlock a remote machine (you need a keyboard and monitor).

We can run a lightweight ssh server, dropbear, from the kernel, to allow decryption (and therefore booting) over the network.

I did this on Ubuntu; there may be easier options for other systems (this seems targeted to Fedora).

Installation

sudo apt install dropbear busybox

Dropbear is the SSH server we run from busybox; however, it can also be used as a regular user-space ssh server. It will generate its own keys, but I ignored those. When installing, you might see something about dropbear not being able to find an authorized_keys file. That’s fine; we add it later.

Setup

Copy keys. You could generate a separate keypair for logging into the kernel, but I don’t feel like it. Instead, I just copied my already-loaded SSH keys over:

cp ~/.ssh/authorized_keys /etc/dropbear-initramfs/authorized_keys

Then, run sudo update-initramfs -u to load the changes. You shouldn’t see the error message about dropbear not finding a keyfile. You could also use the standard ssh-copy-id command (from the device you want to use to unlock), and then copy them from the local ssh directory to dropbear.

Note: you have to run update-initramfs any time you want to reload changes.

Unlocking

Might take a few seconds to get a network connection & launch dropbear after boot. Then, ssh root@machine-hostname-or-ip. You should a busybox prompt. To unlock,

echo -ne "PASSWORD" > /lib/cryptsetup/passfifo

You will be kicked out of your SSH session if that worked, and Ubuntu will boot!

To make things easier, I wrote a shell script on my other computer that asks for your password, and unlocks:

#!/bin/zsh

echo -n "password? "
read PASSWD

ssh macmini-crypt "echo -ne \"$PASSWD\" > /lib/cryptsetup/passfifo"

Unknowns

Unlocking a LUKS encrypted root partition remotely via SSH

How to install and configure Dropbear on Linux