Tech/HowTo/Linux Unified Key Remote Unlock

From lathama
< Tech‎ | HowTo
Jump to navigation Jump to search

LUKS Remote Unlock

You can add a SSH server kernel module so that a remote SSH session can submit the unlock pass phrase.


I did this on a system running Debian 12 for example.

cat /etc/debian_version 
12.12


Install dropbear

Install the dropbear SSH server. Default install will complain about incomplete config.

apt install dropbear-initramfs

Configure dropbear

In /etc/dropbear/initramfs you would edit dropbear.conf with a simple start. We can make this more awesome later.

DROPBEAR_OPTIONS="-p 1234 -c cryptroot-unlock"
Dropbear help
Dropbear server v2022.83 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dropbear [options]
-b bannerfile   Display the contents of bannerfile before user login
                (default: none)
-r keyfile      Specify hostkeys (repeatable)
                defaults: 
                - dss /etc/dropbear/dropbear_dss_host_key
                - rsa /etc/dropbear/dropbear_rsa_host_key
                - ecdsa /etc/dropbear/dropbear_ecdsa_host_key
                - ed25519 /etc/dropbear/dropbear_ed25519_host_key
-R              Create hostkeys as required
-F              Don't fork into background
-e              Pass on server process environment to child process
-E              Log to stderr rather than syslog
-m              Don't display the motd on login
-w              Disallow root logins
-G              Restrict logins to members of specified group
-s              Disable password logins
-g              Disable password logins for root
-B              Allow blank password logins
-t              Enable two-factor authentication (both password and public key required)
-T              Maximum authentication tries (default 10)
-j              Disable local port forwarding
-k              Disable remote port forwarding
-a              Allow connections to forwarded ports from any host
-c command      Force executed command
-p [address:]port
                Listen on specified tcp port (and optionally address),
                up to 10 can be specified
                (default port is 22 if none specified)
-P PidFile      Create pid file PidFile
                (default /var/run/dropbear.pid)
-i              Start for inetd
-W <receive_window_buffer> (default 24576, larger may be faster, max 10MB)
-K <keepalive>  (0 is never, default 0, in seconds)
-I <idle_timeout>  (0 is never, default 0, in seconds)
-z    disable QoS
-V    Version


Set default static IP address

Edit /etc/initramfs-tools/initramfs.conf and add settings.

#
# DEVICE: ...
#
# Specify a specific network interface, like eth0
# Overridden by optional ip= or BOOTIF= bootarg
#

DEVICE=
IP=192.168.15.15::192.168.15.1:255.255.255.0:SGM-DEN-SRV-07:enp1s0
# ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:
#  <dns0-ip>:<dns1-ip>:<ntp0-ip>

Add keys

Crete and edit /etc/dropbear/initramfs/authorized_keys and add your public key one per line.

Update INITRD

Rebuilding the initrd image is as simple as:

update-initramfs -u
Usage: update-initramfs {-c|-d|-u} [-k version] [-v] [-b directory]

Options:
 -k version     Specify kernel version or 'all'
 -c             Create a new initramfs
 -u             Update an existing initramfs
 -d             Remove an existing initramfs
 -b directory   Set alternate boot directory
 -v             Be verbose

See update-initramfs(8) for further details.

Usage

Reboot your target so it is waiting to be unlocked.

# systemctl reboot

From your workstation

$ ping 192.168.15.15

When it comes online:

$ ssh -p 1234 root@192.168.15.15
 Please unlock disk nvme0n1p3_crypt: 
 cryptsetup: nvme0n1p3_crypt set up successfully
 Connection to 192.168.15.15 closed.

Security

Update your dropbear options command to configure defaults and limit access.

DROPBEAR_OPTIONS="-p 1234 -c cryptroot-unlock"

Could be updated to

DROPBEAR_OPTIONS="-s -j -k -p 1234 -c cryptroot-unlock -I 120"

Which would disable password auth, disable port forwarding, and add a timeout value.


Resources