How to unlock LUKS root via SSH: Diferència entre les revisions

De GiLUG
Dreceres ràpides: navegació, cerca
(First translation)
 
 
Línia 34: Línia 34:
  
 
* Instruction to give (with the example data) when the encrypted system waits for the passphrase (large line):
 
* Instruction to give (with the example data) when the encrypted system waits for the passphrase (large line):
  ssh -o "UserKnownHostsFile=/root/.ssh/known_hosts.initramfs" -i "/root/.ssh/encrypted.example.net_initramfs-rsa" root@encrypted.example.net "echo -ne \"1234\" >/lib/cryptsetup/passfifo ; ifconfig eth0 down &"
+
  ssh -o "UserKnownHostsFile=/root/.ssh/known_hosts.initramfs" -i "/root/.ssh/encrypted.example.net_initramfs-rsa" root@encrypted.example.net "echo -ne \"1234\" >/lib/cryptsetup/passfifo ; ip addr flush dev eth0 &"
 
(Example with password 1234, and that deconfigures the net of the encrypted system to not interferes in the normal system)
 
(Example with password 1234, and that deconfigures the net of the encrypted system to not interferes in the normal system)
  
 
== Other sources ==
 
== Other sources ==
 
* [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt Kernel command line] (values for the network configuration)
 
* [https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt Kernel command line] (values for the network configuration)

Revisió de 12:53, 16 nov 2013

Català - Castellano - English


Introduction: This is a simple guide to give access to the net, to introduce the passphrase (password) in the boot of a system already encrypted including the root. In this way is not a requirement to go in person to write it with the keyboard.

Notes:

  • Tested with Debian GNU/Linux 7 (wheezy), but the method should work with older versions and other GNU distributions with Linux.
  • It's important to consider that, having the kernel with the decrypter in a non-encrypted partition, is a weak point. The most secure method is to have ALL the hard disk encrypted, and then boot in person with an external memory (such as /boot in a pendrive) and, when having unlocked the system, take that memory with the software intact in our hands.

Prepare the remote LUKS unlocking

From the encrypted system

  • Install the software for the SSH service and Shell commands interpreter:
apt-get install dropbear busybox
  • Configure the net to the kernel boot stage, setting this variable at the file /etc/default/grub
GRUB_CMDLINE_LINUX="ip=192.168.1.33::192.168.1.1:255.255.255.0::eth0:none"

(Example for an IP address 192.168.1.33, gateway 192.168.1.1 and net device eth0)

  • Update boot manager with the new data for the kernel:
update-grub
  • Copy the special entry certificate to the remote computer, from which you will ask for unlocking:
scp -P 22 /etc/initramfs-tools/root/.ssh/initramfs_rsa RemoteUser@RemoteComputer:/home/RemoteUser/encrypted.example.net_initramfs-rsa

(Example with RemoteUser of the IP RemoteComputer and labelling the server as encrypted.example.net)

In the remote system

(computer from where you want to send the unlocking command)

  • (optional) For security, move the certificate to the superuser profile (root):
mkdir -p /root/.ssh
mv ~/*_initramfs-rsa /root/.ssh/
  • Instruction to give (with the example data) when the encrypted system waits for the passphrase (large line):
ssh -o "UserKnownHostsFile=/root/.ssh/known_hosts.initramfs" -i "/root/.ssh/encrypted.example.net_initramfs-rsa" root@encrypted.example.net "echo -ne \"1234\" >/lib/cryptsetup/passfifo ; ip addr flush dev eth0 &"

(Example with password 1234, and that deconfigures the net of the encrypted system to not interferes in the normal system)

Other sources