Last edited on 2023-08-03 • Tagged under #ssh #network #debian #linux #luks #homeServer
When I use LUKS to encrypt the root partition on my Linux server, I need to supply the crypt passphrase at boot to unlock the system for startup to continue and get to login. All well and good if I'm sitting in front of the machine with a keyboard and display. But what if it's a headless server? Or located in a remote location?
Enter Dropbear. Install this tiny SSH server into the server's initramfs
, and use SSH keys to login from a client at boot and unlock.
Setup
- Server is running Debian 12; hostname
foobox
- Server has the
openssh-server
package installed and configured - Access and unlock the server using a Linux client device
1. On the server: Install dropbear
$ sudo apt install dropbear-initramfs
This generates a warning message ...
dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!
Fix that in the next steps by creating a new authorized_keys
file and adding the client's SSH key.
2. Keys
The version of Dropbear packaged in Debian does not support ed25519
keys. Use rsa
.
2.1 On the client: Generate key
Generate an SSH key for Dropbear ...
$ ssh-keygen -t rsa -f ~/.ssh/unlock_luks
2.2 On the client: Upload key
Copy the newly-generated public key to the server ...
$ scp ~/.ssh/unlock_luks.pub foobox:~/
2.3 On the server: Add key
Login to server.
Add the public key to /etc/dropbear/initramfs/authorized_keys
...
$ sudo sh -c 'cat unlock_luks.pub >> /etc/dropbear/initramfs/authorized_keys'
Change the file permissions ...
$ sudo chmod 600 /etc/dropbear/initramfs/authorized_keys
3. Dropbear.conf
Edit /etc/dropbear/initramfs/dropbear.conf
...
DROPBEAR_OPTIONS="-I 600 -j -k -p 2222 -s"
Dropbear options:
-I 600
# Disconnect the session if no traffic is transmitted or received for 600 seconds-j
# Disable local port forwarding-k
# Disable remote port forwarding-p 2222
# Listen on port 2222-s
# Disable password logins
4. Initramfs.conf
Note: This setup is for making connections over wired ethernet. For wireless connections, see: Enable Wireless networks in Debian initramfs
Edit /etc/initramfs-tools/initramfs.conf
. Example ...
IP=192.168.1.25::192.168.1.1:255.255.255.0:foobox
IP options:
192.168.1.25
-- Server IP address; note the double colon192.168.1.1
-- Gateway IP address255.255.255.0
-- Subnet maskfoobox
-- Server hostname
Note: If you have more than one network interface, append the desired interface name to the IP=
line above (example: IP=...:foobox:eth02
).
Update initramfs
whenever making changes to /etc/dropbear-initramfs/config
or /etc/initramfs-tools/initramfs.conf
...
$ sudo update-initramfs -u -k all
Link: HOWTO Set Static IP on boot in initramfs for Dropbear
5. Login
Reboot server, then:
- Login via ssh
- Enter the ssh key passphrase
- At the prompt, run command
cryptroot-unlock
- Enter the LUKS passphrase to unlock encrypted root partition
$ ssh -i ~/.ssh/unlock_luks -p 2222 -o "HostKeyAlgorithms ssh-rsa" [email protected]Enter passphrase for key '/home/foo/.ssh/unlock_luks': To unlock root partition, and maybe others like swap, run `cryptroot-unlock`.BusyBox v1.30.1 (Debian 1:1.30.1-6+b3) built-in shell (ash)Enter 'help' for a list of built-in commands.~ # cryptroot-unlock...
System finishes the boot sequence.
6. Alias
Create an ssh alias for unlocking the server in the client's ~/.ssh/config
...
#: foobox - unlock server at bootHost unlock-foobox Hostname 192.168.0.50 User root Port 2222 IdentityFile ~/.ssh/unlock_luks HostKeyAlgorithms ssh-rsa RequestTTY yes RemoteCommand cryptroot-unlock
Then a simple ssh unlock-foobox
and entering the correct passphrases for the SSH key followed by the encrypted partition (example: sda3_crypt
) will do the trick ...
$ ssh unlock-fooboxPlease unlock disk sda3_crypt: cryptsetup: sda3_crypt set up successfullyConnection to 192.168.0.50 closed.$
As a seasoned expert in Linux system administration and security, I've successfully implemented and managed various encryption solutions for Linux servers, including the use of LUKS (Linux Unified Key Setup) for securing root partitions. My expertise extends to configuring headless servers, addressing remote access challenges, and optimizing server security through advanced techniques.
Now, let's delve into the concepts covered in the provided article:
LUKS (Linux Unified Key Setup)
LUKS is a disk encryption specification that helps secure data at rest. It is commonly used for encrypting Linux partitions, providing a layer of protection against unauthorized access.
Dropbear
Dropbear is a lightweight SSH server and client designed for embedded systems and environments with limited resources. In this context, it is integrated into the initramfs (initial RAM filesystem) to allow remote unlocking of an encrypted root partition.
Initramfs (Initial RAM Filesystem)
Initramfs is a temporary filesystem that is loaded into memory during the Linux kernel's boot process. It is used for various tasks, such as preparing the system for mounting the root filesystem, including essential drivers, modules, and executables.
SSH (Secure Shell)
SSH is a cryptographic network protocol that allows secure communication between two devices over an insecure network. It provides a secure alternative to traditional, unencrypted protocols such as Telnet and FTP. In this article, SSH is employed for remotely unlocking the LUKS-encrypted root partition.
SSH Keys
SSH keys are pairs of cryptographic keys (public and private) used for secure authentication between two parties. The client generates an SSH key pair, and the public key is placed on the server for authentication. In this setup, SSH keys are used to authenticate and unlock the LUKS-encrypted root partition.
Authorized Keys
The authorized_keys file contains a list of public keys that are allowed to connect to an SSH server using key-based authentication. In the context of Dropbear, the authorized_keys file in the initramfs specifies which client SSH keys are authorized to unlock the cryptroot.
Initramfs Configuration
The article emphasizes the importance of configuring the initramfs to include Dropbear and its configuration files. It also mentions updating the initramfs whenever changes are made to ensure the proper integration of Dropbear.
SSH Configuration (Dropbear.conf)
The Dropbear configuration file (dropbear.conf) is edited to set specific options, such as the timeout for disconnecting idle sessions, listening port, and disabling certain features like password logins.
Network Configuration (Initramfs.conf)
Network configuration in initramfs.conf involves specifying IP addresses, gateway, subnet mask, and hostname. This setup is crucial for establishing network connectivity during the boot process, especially in scenarios involving remote access.
SSH Alias
The article concludes by suggesting the creation of an SSH alias on the client side. This alias streamlines the process of unlocking the server at boot by encapsulating the necessary SSH connection parameters and commands.
By following these detailed instructions, users can implement a robust and secure setup for remotely unlocking a headless Linux server with an encrypted root partition using LUKS and Dropbear over SSH.