Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/ceremcem/unlock-luks-partition

Unlock a LUKS partition via SSH
https://github.com/ceremcem/unlock-luks-partition

boot luks luks-partition reverse-tunnel ssh

Last synced: about 1 month ago
JSON representation

Unlock a LUKS partition via SSH

Awesome Lists containing this project

README 

        



# Unlock LUKS Partition with SSH



Below instructions are for booting your SERVER by connecting and unlocking the encrypted partition via your CLIENT over SSH:



**WARNING**: Typing your crypto key over network might be secure (due to the secure nature of the SSH connection) **as long as** you are completely certain that the initramfs has not been subjugated so that there is no MITM attack taking place while you are typing your disk passphrase.



### 1. Install mandatory packages (on SERVER)



```

apt-get install dropbear initramfs-tools busybox

```



Check that Dropbear has disabled itself in `/etc/default/dropbear`

```

NO_START=1

```



### 2. Append your desired public keys into the SERVER's authorized_keys file



Just copy and paste your public key(s) into `/etc/dropbear-initramfs/authorized_keys` on SERVER



### 3. Create the unlock script 



Create the following script as `/etc/initramfs-tools/hooks/crypt_unlock.sh`



```bash

#!/bin/sh



PREREQ="dropbear"



prereqs() {

  echo "$PREREQ"

}



case "$1" in

  prereqs)

    prereqs

    exit 0

  ;;

esac



. "${CONFDIR}/initramfs.conf"

. /usr/share/initramfs-tools/hook-functions



if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then

cat > "${DESTDIR}/bin/unlock" << EOF

#!/bin/sh

if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then

kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`

# following lines will be executed after the passphrase has been correctly entered

# kill the remote shell

kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\`

exit 0

fi

exit 1

EOF

  

  chmod 755 "${DESTDIR}/bin/unlock"

  

  mkdir -p "${DESTDIR}/lib/unlock"

cat > "${DESTDIR}/lib/unlock/plymouth" << EOF

#!/bin/sh

[ "\$1" == "--ping" ] && exit 1

/bin/plymouth "\$@"

EOF

  

  chmod 755 "${DESTDIR}/lib/unlock/plymouth"

  

  echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd

  

fi

```



Make it executable: 



```bash

chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

```



Create the cleanup script as `/etc/initramfs-tools/scripts/init-bottom/cleanup.sh`:



```bash

#!/bin/sh

echo "Killing dropbear"

killall dropbear

exit 0

```



...and make it executable:



```bash

chmod +x /etc/initramfs-tools/scripts/init-bottom/cleanup.sh

```



### 4. Create a static IP (or skip this step to use DHCP)



Edit `/etc/initramfs-tools/initramfs.conf` to add (or change) the line: 



```

IP=192.168.1.254::192.168.1.1:255.255.255.0::eth0:off

```



    format: 

    

        IP=${ip}::${gateway_ip}:${netmask}:[${hostname}]:${eth_device}:${autoconf}



    ([hostname] can be omitted)

   

> In newer kernels `eth0` is renamed to `enp0s3` (or something like that). Check that out with `ls /sys/class/net`



### 5. Update initramfs 



**WARNING**: Be careful if you **directly** edited `/boot/grub/grub.cfg`, since it will be **overwritten** by below command. You may end up with a broken boot sequence. See [the important note](https://github.com/ceremcem/smith-sync/blob/master/doc/create-bootable-backup.md#important).



```

update-initramfs -u

```



### 6. Test 



1. Reboot your server 

2. Connect to your server via `ssh [email protected] [-i ~/.ssh/id_rsa]`



# Advanced configuration



### Create a Reverse Tunnel



You may want your SERVER to connect your Link Up Server with SSH, create a reverse tunnel to its SSH Server, so you can connect your SERVER over your Link Up Server, which eliminates the need for firewall forwarding for above process.



(see [reverse-tunnel-setup.md](./reverse-tunnel-setup.md))



### Run Dropbear on additional ports 



(based on https://askubuntu.com/a/840067/371730)



1. Define extra ports:



    ```diff

    --- /usr/share/initramfs-tools/scripts/init-premount/dropbear	2018-09-22 01:55:50.963967412 +0300

    +++ /usr/share/initramfs-tools/scripts/init-premount/dropbear	2018-09-22 01:56:04.091945164 +0300

    @@ -26,7 +26,7 @@

    -    exec /sbin/dropbear $DROPBEAR_OPTIONS -Fs

    +    exec /sbin/dropbear $DROPBEAR_OPTIONS -Fs -p 22 -p 80

     ```



2. Update initramfs: 



    ```console 

    update-initramfs -u

    ```