Remotely Unlock Fully Encrypted Debian Squeeze
Author: Stephan Jau
Revision: v1.0
Last Change: April 14, 2012
Introduction
In the past I have written several howtos for remotely unlocking fully encrypted Debian installations. With the advent of Debian Squeeze, the developers have integrated a simple way to do so. Most stuff is provided directly by Debian itself - meaning you don't need 3rd party scripts anymore. However it still involves a few steps which I describe below. Also I provide you with a bash script that will do all the steps automatically.
I recommend to test the individual steps and the script first in a VM to see how it goes.
1. Install Necessary Packages
apt-get install dropbear busybox
2. Edit /etc/initramfs-tools/initramfs.conf
Set the following parameters to the values below:
BUSYBOX=y DROPBEAR=y DEVICE=eth0 IP=10.0.0.99::10.0.0.1:255.255.255.0::eth0:off
Of course select your appropriate network device on which you want to connect to and set your according IP address, gateway and subnet mask. Those settings will only have an effect during reboot to reach the dropbear ssh server. If your machine usually uses IP address 10.0.0.43 you can still set it to 10.0.0.99. The .99 address will then only be available for remote unlocking. Once it's unlocked and the normal boot process continues, it will use the real address then. However I prefer to always use the same IP address.
3. Create Host Keys In /etc/initramfs-tools/etc/dropbear/
Upon installation of dropbear it should have created according host keys. However to make sure that they really exist, we're going to remove the existing ones and recreate them.
rm /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
rm /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
dropbearkey -t dss -f /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
dropbearkey -t rsa -f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
4. Create Private And Public Keys
For authenticating with dropbear, we'll create a new pair of private and public keys. So they don't mix up with the ones available when the system is booted.
rm -Rf /etc/initramfs-tools/root/.ssh
mkdir -p /etc/initramfs-tools/root/.ssh
mkdir -p /root/reboot
dropbearkey -t rsa -f /root/reboot/reboot_rsa.dropbear
/usr/lib/dropbear/dropbearconvert dropbear openssh /root/reboot/reboot_rsa.dropbear /root/reboot/reboot_rsa
dropbearkey -y -f /root/reboot/reboot_rsa.dropbear | grep "^ssh-rsa " > /root/reboot/reboot_rsa.pub
cat /root/reboot/reboot_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys
In this example you can see that I named them "reboo". You can chose any name for them, you'll just have to be sure to alter everything accordingly. In the provided bash script, you can set a prefix to name them to your wishes. I suggest to use the hostname as prefix so you know what keypair belongs to which machine.
5. Update initramfs
update-initramfs -u
6. SCP The Private Key To Local Machine
On your local machine, not the encrypted remote machine, run the following command:
scp root@REMOTE:/root/reboot/reboot_rsa ~/.ssh/
That will copy the previously generated private key to your local machine. You need the private key to unlock the remote machine upon reboot.
7. Create Unlock Script On Local Machine
Create a local shell script file with the following content. Of course replace YOURENCRYPTIONPASSWORD with the actual password to unlock the remote machine.
ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.reboot" -i ~/.ssh/reboot_rsa root@REMOTE "echo -ne \"YOURENCRYPTIONPASSWORD\" >/lib/cryptsetup/passfifo"
8. Test It
Now you have the REMOTE encrypted machine prepared, you have stored the private key on your local machine and you created a little script to login into the remote machine and provide the LUKS password to it.
Reboot now your remote encrypted machine and when it asks for the encryption password, just run that script created in step 7 on your local machine.
To read more about it, you can find the info in the /usr/share/doc/cryptsetup/README.remote.gz file.
Bash Script
As mentioned at the beginning, I also provide you with a bash script that does all the steps. Simply download the attached bash script, put it onto your encrypted Debian, edit the top part and set your prefix, network device and network settings. Save it, make it executable and run it as root.
Bash script: debian_crypto
