Welcome! Log In Create A New Profile

Advanced

Remotely unlock encrypted rootfs

Posted by feas 
Forum List Message List New Topic
feas
Remotely unlock encrypted rootfs
January 14, 2018 02:52AM
So was reading why LKML.org has been down due to a power failure while on vacation and came across this topic.

Has anyone tried this and had luck? 

8. Remotely unlock encrypted rootfs
-----------------------------------

 Thanks to Chris <debian@x.ray.net> it's possible to install a dropbear SSH
server into the initramfs, connect to this SSH server during execution of
initramfs early in the boot process, and unlock encrypted devices - even the
root device - before the boot process continues.

 This way it is possible to use an encrypted root filesystem on headless
systems where no physical access is available during boot process.

 Dropbear 0.52-1 or later is required for this to work. (Since 2015.68-1 the
functionality has its own binary package 'dropbear-initramfs'.) Consult
/usr/share/doc/dropbear-initramfs/README.initramfs from the dropbear-initramfs
package for information how to install and configure the dropbear SSH server
into the initramfs.

 You can then unlock the disk remotely via SSH with

$ ssh -tF ~/.luks/ssh.conf root@remote.system.com cryptroot-unlock

 Or, using a local gpg-encrypted key file:

$ gpg --decrypt ~/.luks/remote.key.gpg | ssh -TF ~/.luks/ssh.conf root@remote.system.com cryptroot-unlock

 That's it. Now that the encrypted root device is unlocked, the remote system
should continue with the boot process.

 You can also use the following authorized_keys(5) options in
/etc/dropbear-initramfs/authorized_keys to restrict access and avoid
users poking around:

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock" ssh-rsa ...

(Be sure to rebuild the initrd afterwards: `update-initramfs -u -k all`.)

Installing dropbear SSH in the initramfs
----------------------------------------

Setup
-----

For remote unlocking to work, dropbear-initramfs has to be installed before
building the initrd.

The host keys used for the initramfs are dropbear_{dss,rsa,ecdsa}_host_key, all
three located in the /etc/dropbear-initramfs directory.  They are created
automatically if they do not exist when dropbear-initramfs is installed or
upgraded.  They can also be created manually with the following commands:

  # dropbearkey -t dss   -f /etc/dropbear-initramfs/dropbear_dss_host_key
  # dropbearkey -t rsa   -f /etc/dropbear-initramfs/dropbear_rsa_host_key
  # dropbearkey -t ecdsa -f /etc/dropbear-initramfs/dropbear_ecdsa_host_key

A warning is raised if none of these host key files exist.  (dropbear will then
fail to start.)  In case of an encrypted rootfs, you typically don't want the
initramfs SSHd to reuse the host keys of the main SSH server (those in /etc/ssh
or /etc/dropbear), since the initrd lies in /boot which, unlike /etc, is
usually not encrypted.

Set the "ip=" kernel boot parameter if you wish to use a non-default IP address
or device.  (See Documentation/filesystems/nfsroot.txt in the Linux
documentation for details.)  If "ip=none" or "ip=off", then dropbear is not
started at boot time.  On local (non NFS) boots, all network interfaces are
brought down by default once the rootfs has been mounted; however
$DROPBEAR_IFDOWN can be set to a shell pattern matching the interface(s) to
bring down, or to the special value "none" to keep all interfaces up.

Command line options are taken from the $DROPBEAR_OPTIONS variable.  For
instance add DROPBEAR_OPTIONS="-p 2222" to /etc/dropbear-initramfs/config
to change the listening port to 2222.

Password logins are disabled.  Public key(s) used for authentication are taken
from /etc/dropbear-initramfs/authorized_keys, or from
/etc/dropbear-initramfs/id_{dsa,rsa,ecdsa}.pub if the former does not exist.  A
warning is raised if no authorized keys could be found.


Unlocking procedure
-------------------

You can unlock your rootfs on bootup remotely, using SSH to log in to
the booting system while it's running with the initramfs mounted.
Consult cryptsetup's /usr/share/doc/cryptsetup/README.Debian section 8
for details.


Issues
------

You'll have to include the driver of (one of) your network card(s) to
/etc/initramfs-tools/modules.  To list all network drivers curently in use, run

  $ while read m _; do /sbin/modinfo -F filename "$m"; done </proc/modules |
    sed -nr "s@^/lib/modules/`uname -r`/kernel/drivers/net(/.*)?/([^/]+)\.ko\$@\2@p"

Don't forget to run update-initramfs when you changed the config to make it
effective!

  # update-initramfs -u -k all

Since by default the initramfs' host keys differ from those of the main SSH
server, SSH clients such as OpenSSH's might issue a "REMOTE HOST IDENTIFICATION
HAS CHANGED!" warning.  In that case you might want to use another port for the
initramfs SSHd, and/or the "UserKnownHostsFile" option to specify an
alternative known_hosts file:

  $ ssh -F ~/.luks/ssh.conf remote.system.com
  $ cat ~/.luks/ssh.conf
  Host *
    User root
    UserKnownHostsFile ~/.luks/known_hosts
    PasswordAuthentication no
    IdentityFile ~/.ssh/id_rsa

Collecting enough entropy for the SSH daemon sometimes seems to be an issue.
Startup of the SSH daemon might be delayed until enough entropy has been
retrieved. This is non-blocking for the startup process, so when you are at the
console you won't have to wait for the SSHd to complete its startup.
Reply Quote
Newer Topic Older Topic
Author:

Your Email:


Subject:
Spam prevention:
Please, enter the code that you see below in the input field. This is for blocking bots that try to post this form automatically. If the code is hard to read, then just try to guess it right. If you enter the wrong code, a new image is created and you get another chance to enter it right.
Message: