, 3 min read
Remote Unlocking of Encrypted Disks
1. Problem statement. You have an encrypted disk and want to decrypt the disk during boot while not sitting in front of your computer.
Solution is sketched and indicated in dm-crypt/Specialties. Below is a little bit more explanation. For the following you must be root.
2. Required software packages. Install the following packages: dropbear from repo "Community". Then install the following AUR-packages:
3. Populate root_key. First mkdir /etc/dropbear
and populate root_key
file with public ssh keys which should be able to log into your machine, similar to authorized_keys
for OpenSSH. I.e., you must know the private keys on the corresponding machines you intend to use for unlocking.
4. Set-up networking in Grub. Edit /etc/default/grub
and set
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=5a74247e-75e8-4c05-89a7-66454f96f974:cryptssd:allow-discards root=/dev/mapper/cryptssd ip=192.168.178.118:192.168.178.118:192.168.178.1:255.255.255.0:chieftec:eth0:none"
Then issue
grub-mkconfig -o /boot/grub/grub.cfg
to re-generate grub.cfg
. The specification for "ip=
" is given in Mounting the root filesystem via NFS (nfsroot). Its most important parts are:
- client-ip: IP address of the client
- server-ip: IP address of the NFS server
- gateway-ip: IP address of a gateway
- netmask: Netmask for local network interface
- hostname: Name of the client
- device: Name of network device to use
- autoconf: Method to use for autoconfiguration
5. Configure mkinitcpio. Finally, the main task. Edit /etc/mkinitcpio.conf
and set
HOOKS="base udev block keymap keyboard autodetect modconf netconf dropbear encryptssh filesystems fsck"
Now call
mkinitcpio -p linux
See Arch Wiki mkinitcpio. Output of mkinitcpio
looks something like this:
-> Running build hook: [dropbear]
Key is a ssh-rsa key
Wrote key to '/etc/dropbear/dropbear_rsa_host_key'
Key is a ssh-dss key
Wrote key to '/etc/dropbear/dropbear_dss_host_key'
Key is a ecdsa-sha2-nistp256 key
Wrote key to '/etc/dropbear/dropbear_ecdsa_host_key'
dropbear_rsa_host_key : sha1!! e1:11:51:ce:0b:07:2b:c7:66:37:c0:b9:de:f3:80:56:64:69:cc:fd
dropbear_dss_host_key : sha1!! ca:75:42:85:f9:96:6d:db:fd:15:d1:7a:4a:ee:19:b1:ff:91:14:bb
dropbear_ecdsa_host_key : sha1!! b9:b3:c4:ee:c4:af:21:87:52:39:e8:b6:c2:a3:b7:53:0e:52:f1:85
-P, --allpresets Process all preset files in /etc/mkinitcpio.d
-r, --moduleroot <dir> Root directory for modules (default: /)
-S, --skiphooks <hooks> Skip specified hooks, comma-separated, during build
-s, --save Save build directory. (default: no)
-d, --generatedir <dir> Write generated image into <dir>
-t, --builddir <dir> Use DIR as the temporary build directory
-V, --version Display version information and exit
-v, --verbose Verbose output (default: no)
-z, --compress <program> Use an alternate compressor on the image
-> Running build hook: [encryptssh]
-> Running build hook: [filesystems]
-> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful
Content in /etc/dropbear
is then
$ ls -l /etc/dropbear
total 16
-rw------- 1 root root 458 Apr 1 13:24 dropbear_dss_host_key
-rw------- 1 root root 140 Apr 1 13:24 dropbear_ecdsa_host_key
-rw------- 1 root root 806 Apr 1 13:24 dropbear_rsa_host_key
-rw------- 1 root root 1572 Apr 1 12:25 root_key
6. Usage. Use ssh root@YourComputer
to connect to your previously configured dropbear server and type in the password for the encrypted disk. The connection will then close, and dropbear disappears. By the way, dropbear does not look at your configuration for OpenSSH, so if you block root access via OpenSSH, this is of no concern for dropbear.
7. Limitations. Above set-up just works for unlocking the root-device. If there are other encrypted devices, for example devices given in /etc/crypttab
, these cannot be unlocked by above procedure.
8. Further reading. See LUKS encrypted devices remote über Dropbear SSH öffnen (in German), Remote unlocking LUKS encrypted LVM using Dropbear SSH in Ubuntu Server 14.04.1 (with Static IP).