Tech/HowTo/Linux Unified Key Remote Unlock
LUKS Remote Unlock
You can add a SSH server kernel module so that a remote SSH session can submit the unlock pass phrase.
I did this on a system running Debian 12 for example.
cat /etc/debian_version 12.12
Install dropbear
Install the dropbear SSH server. Default install will complain about incomplete config.
apt install dropbear-initramfs
Configure dropbear
In /etc/dropbear/initramfs you would edit dropbear.conf with a simple start. We can make this more awesome later.
DROPBEAR_OPTIONS="-p 1234 -c cryptroot-unlock"
- Dropbear help
Dropbear server v2022.83 https://matt.ucc.asn.au/dropbear/dropbear.html Usage: dropbear [options] -b bannerfile Display the contents of bannerfile before user login (default: none) -r keyfile Specify hostkeys (repeatable) defaults: - dss /etc/dropbear/dropbear_dss_host_key - rsa /etc/dropbear/dropbear_rsa_host_key - ecdsa /etc/dropbear/dropbear_ecdsa_host_key - ed25519 /etc/dropbear/dropbear_ed25519_host_key -R Create hostkeys as required -F Don't fork into background -e Pass on server process environment to child process -E Log to stderr rather than syslog -m Don't display the motd on login -w Disallow root logins -G Restrict logins to members of specified group -s Disable password logins -g Disable password logins for root -B Allow blank password logins -t Enable two-factor authentication (both password and public key required) -T Maximum authentication tries (default 10) -j Disable local port forwarding -k Disable remote port forwarding -a Allow connections to forwarded ports from any host -c command Force executed command -p [address:]port Listen on specified tcp port (and optionally address), up to 10 can be specified (default port is 22 if none specified) -P PidFile Create pid file PidFile (default /var/run/dropbear.pid) -i Start for inetd -W <receive_window_buffer> (default 24576, larger may be faster, max 10MB) -K <keepalive> (0 is never, default 0, in seconds) -I <idle_timeout> (0 is never, default 0, in seconds) -z disable QoS -V Version
Set default static IP address
Edit /etc/initramfs-tools/initramfs.conf and add settings.
# # DEVICE: ... # # Specify a specific network interface, like eth0 # Overridden by optional ip= or BOOTIF= bootarg # DEVICE= IP=192.168.15.15::192.168.15.1:255.255.255.0:SGM-DEN-SRV-07:enp1s0 # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>: # <dns0-ip>:<dns1-ip>:<ntp0-ip>
Add keys
Crete and edit /etc/dropbear/initramfs/authorized_keys and add your public key one per line.
Update INITRD
Rebuilding the initrd image is as simple as:
update-initramfs -u
Usage: update-initramfs {-c|-d|-u} [-k version] [-v] [-b directory] Options: -k version Specify kernel version or 'all' -c Create a new initramfs -u Update an existing initramfs -d Remove an existing initramfs -b directory Set alternate boot directory -v Be verbose See update-initramfs(8) for further details.
Usage
Reboot your target so it is waiting to be unlocked.
# systemctl reboot
From your workstation
$ ping 192.168.15.15
When it comes online:
$ ssh -p 1234 root@192.168.15.15 Please unlock disk nvme0n1p3_crypt: cryptsetup: nvme0n1p3_crypt set up successfully Connection to 192.168.15.15 closed.
Security
Update your dropbear options command to configure defaults and limit access.
DROPBEAR_OPTIONS="-p 1234 -c cryptroot-unlock"
Could be updated to
DROPBEAR_OPTIONS="-s -j -k -p 1234 -c cryptroot-unlock -I 120"
Which would disable password auth, disable port forwarding, and add a timeout value.