Unlock LUKS via SSH in Debian

March 20th, 2016

As already described in my previous post Headless Debian install via SSH, I am dealing with a headless system. As I am encrypting my system and drives with LUKS, I need a way to enter the password in case of a reboot.

So what is the solution

First install Dropbear on the server by apt-get install dropbear. Then configure initramfs network usage; edit /etc/initramfs-tools/initramfs.conf. You probably have to add the lines for dropbear and update the device string. This configuration is using DHCP to obtain an IP, if you have a static configuration, use: IP=<SERVER-IP>::<STANDARD-GATEWAY>:<SUBNETMASK>:<HOSTNAME>:eth0:off

#
# DROPBEAR: [ y | n ]
#
# Use dropbear if available.
#
DROPBEAR=y

DEVICE=eth0
IP=:::::eth0:dhcp

Next, delete the standard private and public keys on the server

rm /etc/initramfs-tools/root/.ssh/id_rsa
rm /etc/initramfs-tools/root/.ssh/id_rsa.pub

Then create your own key pair (we assume you use id_rsa as a name) on your client machine and upload it to the server.

ssh-keygen
scp ~/.ssh/id_rsa.pub myuser@debian_headless:id_rsa.pub

After that, log in to the server and add the key to authorized_key file an remove the public key on the server.

ssh myuser@debian_headless
sudo sh -c "cat id_rsa.pub &gt;&gt; /etc/initramfs-tools/root/.ssh/authorized_keys"
rm id_rsa.pub

Now we need to update initramfs and grub by update-initramfs -u -k all and update-grub2

On some configurations the network won’t get reconfigured on runtime values, hence we need to trigger an update. Edit /etc/network/interfaces and add as first line of the primary interface pre-up ip addr flush dev eth0

Restart server and log in from your client with ssh -i ~/.ssh/id_rsa root@<server-ip> to set the password to unlock

echo -n "<LUKS encryption password>" > /lib/cryptsetup/passfifo
exit

EDIT: on newer systems a cryptroot-unlock will suffice.

The server should now boot normally and regular SSH should come up.

Optional

You can also create a little script for the passphrase in /etc/initramfs-tools/hooks/unlock

#!/bin/bash
PREREQ=""
prereqs() {
  echo "$PREREQ"
}

case $1 in
prereqs)
prereqs
exit 0
;;
esac

. /usr/share/initramfs-tools/hook-functions

cat > "${DESTDIR}/root/unlock" << EOF #!/bin/sh /lib/cryptsetup/askpass 'passphrase: ' > /lib/cryptsetup/passfifo
EOF

chmod u+x "${DESTDIR}/root/unlock"

exit 0

Do not forget to make it executable with chmod +x /etc/initramfs-tools/hooks/unlock and update initramfs with update-initramfs -u -k all and update-grub2

Christian

Author

Please Note: By submitting your comment your browser will send the values of the form fields (and the typical browsing meta data) to the API of Staticman. If you don't want to connect to a third party, you should E-Mail me.