Tech/HowTo/Linux Unified Key Remote Unlock
LUKS Remote Unlock
You can add a SSH server kernel module so that a remote SSH session can submit the unlock pass phrase.
I did this on a system running Debian 12 for example.
cat /etc/debian_version 12.12
Install dropbear
Install the dropbear SSH server. Default install will complain about incomplete config.
apt install dropbear-initramfs
Configure dropbear
In /etc/dropbear/initramfs you would edit dropbear.conf with a simple start. We can make this more awesome later.
DROPBEAR_OPTIONS="-p 1234 -c cryptroot-unlock"
- Dropbear help
Dropbear server v2022.83 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dropbear [options]
-b bannerfile Display the contents of bannerfile before user login
(default: none)
-r keyfile Specify hostkeys (repeatable)
defaults:
- dss /etc/dropbear/dropbear_dss_host_key
- rsa /etc/dropbear/dropbear_rsa_host_key
- ecdsa /etc/dropbear/dropbear_ecdsa_host_key
- ed25519 /etc/dropbear/dropbear_ed25519_host_key
-R Create hostkeys as required
-F Don't fork into background
-e Pass on server process environment to child process
-E Log to stderr rather than syslog
-m Don't display the motd on login
-w Disallow root logins
-G Restrict logins to members of specified group
-s Disable password logins
-g Disable password logins for root
-B Allow blank password logins
-t Enable two-factor authentication (both password and public key required)
-T Maximum authentication tries (default 10)
-j Disable local port forwarding
-k Disable remote port forwarding
-a Allow connections to forwarded ports from any host
-c command Force executed command
-p [address:]port
Listen on specified tcp port (and optionally address),
up to 10 can be specified
(default port is 22 if none specified)
-P PidFile Create pid file PidFile
(default /var/run/dropbear.pid)
-i Start for inetd
-W <receive_window_buffer> (default 24576, larger may be faster, max 10MB)
-K <keepalive> (0 is never, default 0, in seconds)
-I <idle_timeout> (0 is never, default 0, in seconds)
-z disable QoS
-V Version
Set default static IP address
Edit /etc/initramfs-tools/initramfs.conf and add settings.
# # DEVICE: ... # # Specify a specific network interface, like eth0 # Overridden by optional ip= or BOOTIF= bootarg # DEVICE= IP=192.168.15.15::192.168.15.1:255.255.255.0:SGM-DEN-SRV-07:enp1s0 # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>: # <dns0-ip>:<dns1-ip>:<ntp0-ip>
Add keys
Crete and edit /etc/dropbear/initramfs/authorized_keys and add your public key one per line.
Update INITRD
Rebuilding the initrd image is as simple as:
update-initramfs -u
Usage: update-initramfs {-c|-d|-u} [-k version] [-v] [-b directory]
Options:
-k version Specify kernel version or 'all'
-c Create a new initramfs
-u Update an existing initramfs
-d Remove an existing initramfs
-b directory Set alternate boot directory
-v Be verbose
See update-initramfs(8) for further details.
Usage
Reboot your target so it is waiting to be unlocked.
# systemctl reboot
From your workstation
$ ping 192.168.15.15
When it comes online:
$ ssh -p 1234 root@192.168.15.15 Please unlock disk nvme0n1p3_crypt: cryptsetup: nvme0n1p3_crypt set up successfully Connection to 192.168.15.15 closed.
Security
Update your dropbear options command to configure defaults and limit access.
DROPBEAR_OPTIONS="-p 1234 -c cryptroot-unlock"
Could be updated to
DROPBEAR_OPTIONS="-s -j -k -p 1234 -c cryptroot-unlock -I 120"
Which would disable password auth, disable port forwarding, and add a timeout value.