{"id":18039255,"url":"https://github.com/ceremcem/unlock-luks-partition","last_synced_at":"2025-07-01T08:03:18.640Z","repository":{"id":28938882,"uuid":"119784293","full_name":"ceremcem/unlock-luks-partition","owner":"ceremcem","description":"Unlock a LUKS partition via SSH","archived":false,"fork":false,"pushed_at":"2022-02-22T14:26:10.000Z","size":28,"stargazers_count":45,"open_issues_count":7,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-23T15:51:23.959Z","etag":null,"topics":["boot","luks","luks-partition","reverse-tunnel","ssh"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ceremcem.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-02-01T04:47:55.000Z","updated_at":"2025-02-12T20:57:07.000Z","dependencies_parsed_at":"2022-08-07T14:00:59.138Z","dependency_job_id":null,"html_url":"https://github.com/ceremcem/unlock-luks-partition","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ceremcem%2Funlock-luks-partition","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ceremcem%2Funlock-luks-partition/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ceremcem%2Funlock-luks-partition/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ceremcem%2Funlock-luks-partition/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ceremcem","download_url":"https://codeload.github.com/ceremcem/unlock-luks-partition/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245827082,"owners_count":20678910,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["boot","luks","luks-partition","reverse-tunnel","ssh"],"created_at":"2024-10-30T14:08:59.002Z","updated_at":"2025-03-27T10:32:08.892Z","avatar_url":"https://github.com/ceremcem.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n\n\n# Unlock LUKS Partition with SSH\n\nBelow instructions are for booting your SERVER by connecting and unlocking the encrypted partition via your CLIENT over SSH:\n\n**WARNING**: Typing your crypto key over network might be secure (due to the secure nature of the SSH connection) **as long as** you are completely certain that the initramfs has not been subjugated so that there is no MITM attack taking place while you are typing your disk passphrase.\n\n### 1. Install mandatory packages (on SERVER)\n\n```\napt-get install dropbear initramfs-tools busybox\n```\n\nCheck that Dropbear has disabled itself in `/etc/default/dropbear`\n```\nNO_START=1\n```\n\n\n### 2. Append your desired public keys into the SERVER's authorized_keys file\n\nJust copy and paste your public key(s) into `/etc/dropbear-initramfs/authorized_keys` on SERVER\n\n\n### 3. Create the unlock script \n\nCreate the following script as `/etc/initramfs-tools/hooks/crypt_unlock.sh`\n\n```bash\n#!/bin/sh\n\nPREREQ=\"dropbear\"\n\nprereqs() {\n  echo \"$PREREQ\"\n}\n\ncase \"$1\" in\n  prereqs)\n    prereqs\n    exit 0\n  ;;\nesac\n\n. \"${CONFDIR}/initramfs.conf\"\n. /usr/share/initramfs-tools/hook-functions\n\nif [ \"${DROPBEAR}\" != \"n\" ] \u0026\u0026 [ -r \"/etc/crypttab\" ] ; then\ncat \u003e \"${DESTDIR}/bin/unlock\" \u003c\u003c EOF\n#!/bin/sh\nif PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then\nkill \\`ps | grep cryptroot | grep -v \"grep\" | awk '{print \\$1}'\\`\n# following lines will be executed after the passphrase has been correctly entered\n# kill the remote shell\nkill -9 \\`ps | grep \"\\-sh\" | grep -v \"grep\" | awk '{print \\$1}'\\`\nexit 0\nfi\nexit 1\nEOF\n  \n  chmod 755 \"${DESTDIR}/bin/unlock\"\n  \n  mkdir -p \"${DESTDIR}/lib/unlock\"\ncat \u003e \"${DESTDIR}/lib/unlock/plymouth\" \u003c\u003c EOF\n#!/bin/sh\n[ \"\\$1\" == \"--ping\" ] \u0026\u0026 exit 1\n/bin/plymouth \"\\$@\"\nEOF\n  \n  chmod 755 \"${DESTDIR}/lib/unlock/plymouth\"\n  \n  echo To unlock root-partition run \"unlock\" \u003e\u003e ${DESTDIR}/etc/motd\n  \nfi\n```\n\nMake it executable: \n\n```bash\nchmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh\n```\n\nCreate the cleanup script as `/etc/initramfs-tools/scripts/init-bottom/cleanup.sh`:\n\n```bash\n#!/bin/sh\necho \"Killing dropbear\"\nkillall dropbear\nexit 0\n```\n\n...and make it executable:\n\n```bash\nchmod +x /etc/initramfs-tools/scripts/init-bottom/cleanup.sh\n```\n\n### 4. Create a static IP (or skip this step to use DHCP)\n\nEdit `/etc/initramfs-tools/initramfs.conf` to add (or change) the line: \n\n```\nIP=192.168.1.254::192.168.1.1:255.255.255.0::eth0:off\n```\n\n    format: \n    \n        IP=${ip}::${gateway_ip}:${netmask}:[${hostname}]:${eth_device}:${autoconf}\n\n    ([hostname] can be omitted)\n   \n\u003e In newer kernels `eth0` is renamed to `enp0s3` (or something like that). Check that out with `ls /sys/class/net`\n\n### 5. Update initramfs \n\n**WARNING**: Be careful if you **directly** edited `/boot/grub/grub.cfg`, since it will be **overwritten** by below command. You may end up with a broken boot sequence. See [the important note](https://github.com/ceremcem/smith-sync/blob/master/doc/create-bootable-backup.md#important).\n\n```\nupdate-initramfs -u\n```\n\n\n### 6. Test \n\n1. Reboot your server \n2. Connect to your server via `ssh root@192.168.1.254 [-i ~/.ssh/id_rsa]`\n\n\n# Advanced configuration\n\n### Create a Reverse Tunnel\n\nYou may want your SERVER to connect your Link Up Server with SSH, create a reverse tunnel to its SSH Server, so you can connect your SERVER over your Link Up Server, which eliminates the need for firewall forwarding for above process.\n\n(see [reverse-tunnel-setup.md](./reverse-tunnel-setup.md))\n\n### Run Dropbear on additional ports \n\n(based on https://askubuntu.com/a/840067/371730)\n\n1. Define extra ports:\n\n    ```diff\n    --- /usr/share/initramfs-tools/scripts/init-premount/dropbear\t2018-09-22 01:55:50.963967412 +0300\n    +++ /usr/share/initramfs-tools/scripts/init-premount/dropbear\t2018-09-22 01:56:04.091945164 +0300\n    @@ -26,7 +26,7 @@\n    -    exec /sbin/dropbear $DROPBEAR_OPTIONS -Fs\n    +    exec /sbin/dropbear $DROPBEAR_OPTIONS -Fs -p 22 -p 80\n     ```\n\n2. Update initramfs: \n\n    ```console \n    update-initramfs -u\n    ```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fceremcem%2Funlock-luks-partition","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fceremcem%2Funlock-luks-partition","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fceremcem%2Funlock-luks-partition/lists"}