Unlocking a LUKS-encrypted partition via ssh on Debian 10 and Debian 11

image of ssh connecting and asking for LUKS unlock passphrase

Update: since writing this, I've also tested it on Debian 11 RC2. I had a bit of a hiccup with it on a Raspberry Pi 4, but I've got it to work using these intructions on both the RPi and a VM (amd64) installation.

I wanted to encrypt some Linux machines with LUKS, but still have the ability to reboot them remotely, without needing to be in front of them to enter decryption keys.

A KVM switch would be one option, but being able to do ssh at an early stage in the boot process is another (and was more convenient for me, since I don't have an IP KVM).

This is what worked for me, on a fresh installation of Debian 10, with LUKS already set up and tested.

Work in progress!

Although these steps worked for me, and I tested them on a second fresh installation to make sure, they might not work for you. I'll update this post, or link out to other posts, if I make changes to this for other situations.

Steps

I installed dropbear-initramfs.

apt update && apt install dropbear-initramfs -y

Ignore the warning:

dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!

Add the config for dropbear:

echo 'DROPBEAR_OPTIONS="-RFEsjk -c /bin/cryptroot-unlock"' > /etc/dropbear-initramfs/config

(If you wanted different options, like a timeout (e.g. -I 60) or to change the default port (e.g. -p 2222), set them here too.)

On the machine from which you want to log in (e.g. a client machine), generate a keypair:

ssh-keygen -f /path/to/store/keyname

This probably defaults to ~/.ssh/ and the default key name is probably id_rsa. I tend to give a key a unique and obvious name.

Back on the server, copy the public key to /etc/dropbear-initramfs/authorized_keys:

echo 'PASTE YOUR PUBLIC KEY HERE' > /etc/dropbear-initramfs/authorized_keys

(You could probably also use ssh-copy-id -i /path/to/store/keyname [user@luksmachine] and then append the key to /etc/dropbear-initramfs/authorized_keys if you wanted.)

Edit your grub config:

vim /etc/default/grub

Comment out the line GRUB_CMDLINE_LINUX_DEFAULT and replace it with the network configuration, in the form: ‘ip=ip_address_of_server::gateway:mask:hostname:interface:none:’

So I used:

GRUB_CMDLINE_LINUX_DEFAULT="quiet ip=192.168.8.11::192.168.8.1:255.255.255.0:luks:enp0s3:none:"

(You can probably do this via DHCP instead of a static IP. I haven't tested it though.) You can also do this via DHCP. I used:

quiet ip=:::::enpos3:dhcp

Update grub:

update-grub

If you don't have /usr/sbin in your PATH (a bugbear of mine with Debian 10), add it now:

echo 'export PATH=$PATH:/usr/sbin' >> ~/.bashrc

Then apply the changes made to ~/.bashrc:

source ~/.bashrc

Finally update initramfs:

update-initramfs -k all -u

And reboot the machine:

systemctl reboot

You should now be able to log in via ssh with:

ssh -i /path/to/store/keyname UserKnownHostsFile=/dev/null root@server_ip

(The UserKnownHostsFile=/dev/null is to suppress the warning you would get otherwise about changing host keys.)

With a bit of luck, you should be prompted for your key passphrase (if you set one), and, once accepted, you should be connected to the machine.

If so, hopefully you'll be prompted for the key to unlock the disk.

(I have not tried to make this part of the ssh command, but I expect that that is possible if you wanted to do it.)

After that, you'll see the ssh connection drop, and you can — once the machine has booted – log in with your normal ssh credentials.


Author: neil

I'm Neil. By day, I run a law firm, decoded.legal, giving advice on Internet, telecoms, and tech law. This is my personal blog, so will be mostly about tech stuff, cycling, and other hobbies.