Remote LUKS Unlocking with Dropbear SSH

Learn how to remotely unlock LUKS encrypted LVM volumes using Dropbear SSH on Ubuntu Server. This comprehensive guide covers everything from installing requirements to configuring Dropbear SSH

Remote unlocking LUKS encrypted LVM using Dropbear SSH in Ubuntu Server 22.04.3 LTS

Install Requirements

su 
apt update
apt upgrade
apt-get install dropbear-initramfs initramfs-tools busybox

Configure /etc/initramfs-tools/initramfs.conf

cat << "EOF" >> /etc/initramfs-tools/initramfs.conf
### Cryptsetup / Dropbear / Initramfs
IP=192.168.1.181::192.168.1.1:255.255.255.0:server:enp4s0:off
EOF

Create / Generate Dropber Keys

Note: host keys are already present, as they were automatically generated during the installation of the dropbear package, so there is no need to create new ones as other guides tell you to do

dropbearkey -t dss -f /etc/dropbear/initramfs/dropbear_dss_host_key
dropbearkey -t rsa -f /etc/dropbear/initramfs/dropbear_rsa_host_key
dropbearkey -t ecdsa /etc/dropbear/initramfs/dropbear_ecdsa_host_key
dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key

Script: Create cleanup.sh

cat << "EOF" >/
#!/bin/sh

echo "Killing dropbear"
pkill -9 dropbear
exit 0
EOF

Main Script: Unlock the LUKS encrypted LVM, create the initramfs hook

cat << 'END_SCRIPT' > /etc/initramfs-tools/hooks/crypt_unlock.sh
#!/bin/sh

PREREQ="dropbear"
 
prereqs() {
    echo "$PREREQ"
}
 
case "$1" in
    prereqs)
        prereqs
        exit 0
        ;;
esac
 
. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions
 
if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
    cat > "${DESTDIR}/bin/unlock" << 'INNER_EOF'
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
    kill "$(ps | grep cryptroot | grep -v "grep" | awk '{print $1}')"
    # following line kill the remote shell right after the passphrase has
    # been entered.
    kill -9 "$(ps | grep "\-sh" | grep -v "grep" | awk '{print $1}')"
    exit 0
fi
exit 1
INNER_EOF
 
    chmod 755 "${DESTDIR}/bin/unlock"
 
    mkdir -p "${DESTDIR}/lib/unlock"
    cat > "${DESTDIR}/lib/unlock/plymouth" << 'INNER_EOF'
#!/bin/sh
[ "$1" == "--ping" ] && exit 1
/bin/plymouth "$@"
INNER_EOF
 
    chmod 755 "${DESTDIR}/lib/unlock/plymouth"
 
    echo "To unlock root-partition run 'unlock'" >> "${DESTDIR}/etc/motd"
fi
END_SCRIPT

Make cleanup.sh and crypt_unlock.sh executable

chmod +x /etc/initramfs-tools/scripts/init-bottom/cleanup.sh
chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

Add SSH Keys To authorized_keys

cp ~/.ssh/authorized_keys  /etc/dropbear/initramfs/

Optional: Samsung Laptop - Fix i915 issues during boot with gpu driver

wget https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915/dg2_huc_gsc.bin
chmod +x dg2_huc_gsc.bin
mv dg2_huc_gsc.bin /lib/firmware/i915/

Disable dropbear as soon as possible after our root unlock

Note: This is not necessary if OpenSSH was already installed.

sed -i -e 's/NO_START=0/NO_START=1/' /etc/dropbear/initramfs/dropbear.conf

Client: Configure SSH Client

Option	Description
`-I 600`	Disconnect the session if no traffic is transmitted or received for 600 seconds
`-j`	Disable local port forwarding
`-k`	Disable remote port forwarding
`-p 2222`	Listen on port 2222
`-s`	Disable password logins

Set DROPBEAR_OPTIONS to listening on port 2222

sed -i 's/#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-I 600 -j -k -p 2222 -s"/g' /etc/dropbear/initramfs/dropbear.conf

Append ifconfig to 0.0.0.0 to avoid internet/resolve.conf issues

echo "append ifconfig enp0s4 0.0.0.0 down" >> /usr/share/initramfs-tools/scripts/init-bottom/dropbear

Upgrade Initramfs / Grub configurations and reboot

update-initramfs -u -k all 2> /dev/null
update-grub
reboot

Client: Connect to server and unlock luks container (rootfs)

alias s="ssh -p2222 root@server"
unlock-server

Reference(s)