How to unlock LUKS root via SSH

De GiLUG
La revisió el 11:53, 16 nov 2013 per Narcisgarcia (discussió | contribucions)
(dif) ← Versió més antiga | Versió actual (dif) | Versió més nova → (dif)
Salta a: navegació, cerca

Català - Castellano - English


Introduction: This is a simple guide to give access to the net, to introduce the passphrase (password) in the boot of a system already encrypted including the root. In this way is not a requirement to go in person to write it with the keyboard.

Notes:

  • Tested with Debian GNU/Linux 7 (wheezy), but the method should work with older versions and other GNU distributions with Linux.
  • It's important to consider that, having the kernel with the decrypter in a non-encrypted partition, is a weak point. The most secure method is to have ALL the hard disk encrypted, and then boot in person with an external memory (such as /boot in a pendrive) and, when having unlocked the system, take that memory with the software intact in our hands.

Prepare the remote LUKS unlocking

From the encrypted system

  • Install the software for the SSH service and Shell commands interpreter:
apt-get install dropbear busybox
  • Configure the net to the kernel boot stage, setting this variable at the file /etc/default/grub
GRUB_CMDLINE_LINUX="ip=192.168.1.33::192.168.1.1:255.255.255.0::eth0:none"

(Example for an IP address 192.168.1.33, gateway 192.168.1.1 and net device eth0)

  • Update boot manager with the new data for the kernel:
update-grub
  • Copy the special entry certificate to the remote computer, from which you will ask for unlocking:
scp -P 22 /etc/initramfs-tools/root/.ssh/initramfs_rsa RemoteUser@RemoteComputer:/home/RemoteUser/encrypted.example.net_initramfs-rsa

(Example with RemoteUser of the IP RemoteComputer and labelling the server as encrypted.example.net)

In the remote system

(computer from where you want to send the unlocking command)

  • (optional) For security, move the certificate to the superuser profile (root):
mkdir -p /root/.ssh
mv ~/*_initramfs-rsa /root/.ssh/
  • Instruction to give (with the example data) when the encrypted system waits for the passphrase (large line):
ssh -o "UserKnownHostsFile=/root/.ssh/known_hosts.initramfs" -i "/root/.ssh/encrypted.example.net_initramfs-rsa" root@encrypted.example.net "echo -ne \"1234\" >/lib/cryptsetup/passfifo ; ip addr flush dev eth0 &"

(Example with password 1234, and that deconfigures the net of the encrypted system to not interferes in the normal system)

Other sources