How to unlock LUKS root via SSH
Introduction: This is a simple guide to give access to the net, to introduce the passphrase (password) in the boot of a system already encrypted including the root. In this way is not a requirement to go in person to write it with the keyboard.
- Tested with Debian GNU/Linux 7 (wheezy), but the method should work with older versions and other GNU distributions with Linux.
- It's important to consider that, having the kernel with the decrypter in a non-encrypted partition, is a weak point. The most secure method is to have ALL the hard disk encrypted, and then boot in person with an external memory (such as /boot in a pendrive) and, when having unlocked the system, take that memory with the software intact in our hands.
Prepare the remote LUKS unlocking
From the encrypted system
- Install the software for the SSH service and Shell commands interpreter:
apt-get install dropbear busybox
- Configure the net to the kernel boot stage, setting this variable at the file /etc/default/grub
(Example for an IP address 192.168.1.33, gateway 192.168.1.1 and net device eth0)
- Update boot manager with the new data for the kernel:
- Copy the special entry certificate to the remote computer, from which you will ask for unlocking:
scp -P 22 /etc/initramfs-tools/root/.ssh/initramfs_rsa RemoteUser@RemoteComputer:/home/RemoteUser/encrypted.example.net_initramfs-rsa
(Example with RemoteUser of the IP RemoteComputer and labelling the server as encrypted.example.net)
In the remote system
(computer from where you want to send the unlocking command)
- (optional) For security, move the certificate to the superuser profile (root):
mkdir -p /root/.ssh mv ~/*_initramfs-rsa /root/.ssh/
- Instruction to give (with the example data) when the encrypted system waits for the passphrase (large line):
ssh -o "UserKnownHostsFile=/root/.ssh/known_hosts.initramfs" -i "/root/.ssh/encrypted.example.net_initramfs-rsa" firstname.lastname@example.org "echo -ne \"1234\" >/lib/cryptsetup/passfifo ; ifconfig eth0 down &"
(Example with password 1234, and that deconfigures the net of the encrypted system to not interferes in the normal system)
- Kernel command line (values for the network configuration)