Unlock full-encrypted system via SSH

A complete encryption of your own system is an excellent way to ensure the confidentiality of your own data. The current Ubuntu installer offers a guided installation to encrypt the entire system with ” encrypted LVMs “. For both the automated installation and the manual way, there are numerous detailed guides that explain the facility.

The advantage of using LVMs is that only one password is required to unlock all logical volumesmust be entered. This unlocks the crypto-device containing the volume group and logical volumes for eg “/ root” and “/ home”. For successful booting, only an unencrypted boot partition is needed. When the server is booted, the password for unlocking the crypto device is then requested (“Pre-boot authentication”). Since no file system is available except “/ boot”, it is not possible to unlock the system via a remote connection. The password must be entered via a connected keyboard, which can be problematic for a server. The configuration described in this article therefore prevents a completely encrypted Ubuntu from

More specifically, this article explains how a fully encrypted Ubuntu Server 14.04 can be unlocked via SSH connection . For this purpose, a small SSH server called “dropbear” ^is installed and set up, which is already available at the time of initramfs . Some information in this guide can also be found in “/ usr / share / doc / cryptsetup” in the file “README.remote.gz” (” unlocking rootfs via ssh login in initramfs “).

installation

The dropbear SSH server is installed via “apt”:

sudo apt-get install dropbear

configuration

First, in the file “/etc/initramfs-tools/initramfs.conf” is the line

DROPBEAR = y

inserted.

Attention: All configurations regarding the initramfs have to be updated via “update-initramfs”:

sudo update-initramfs -u

Network Configuration

The network configuration for remote access to the server is performed in the following file:

/etc/initramfs-tools/initramfs.conf

The detailed rules for configuring the device can be found under nfsroot.txt . For example, the following line can be added for DHCP:

# 
# DEVICE: ... 
# 
# Specify the network interface, like eth0 
# 
DEVICE = eth1
 IP = ::::: eth1: dhcp

For a static address, the line must be changed as follows:

DEVICE = eth1
 IP = 192.168.56.101:::255.255.255.0::eth1:off

Again an update of the initramfs is done:

sudo update-initramfs -u

Now the network device is already configured before polling the password for the crypto device.

SSH access to Dropbear

Dropbear creates several keys during installation. The host key for identification of the server is located in:

lvtest @ubuntu: ~ $ ls / etc / initramfs-tools / etc / dropbear /
dropbear_dss_host_key dropbear_rsa_host_key

In addition, RSA keys are automatically generated for public-key authentication. These are stored in the following directory:

lvtest @ ubuntu: ~ $ ls /etc/initramfs-tools/root/.ssh/
authorized_keys id_rsa id_rsa.pub

The private key “id_rsa” can be used to access the server from the client. He has to be transferred to the client via a secure path.

Attention: The private key of Dropbear is unencrypted, if the file “id_rsa” should be stolen by an attacker, it has direct access to the Dropbear SSH server. Since Dropbear is compatible with openssh keys, it is recommended that you create your own SSH key pair on the client and then add the public key to the “Authorized Keys” file of Dropbear ( see also SSH_Key_Login ) (on the client):

ssh-keygen 
Generating public / private rsa key pair.
Enter file in which to save the key ( /home/client/.ssh/id_rsa ) : /home/client/.ssh/dropbear/id_rsa_initram
Enter passphrase ( empty for no passphrase ) :
Enter same passphrase again: 
Your identification has been saved in /home/client/.ssh/dropbear/id_rsa_initram.
Your public key has been saved in /home/client/.ssh/dropbear/id_rsa_initram.pub.

Important: The use of a password ensures the encryption of the private key using the AES-CBC 128-bit key. The private key can thus only be used after the password has been entered successfully, since the file “id_rsa_initram” is not available in plain text. The public key can now be copied to the server:

client @ test: ~ $ scp /home/client/.ssh/dropbear/id_rsa_initram.pub lvtest@192.168.56.101: / home / lvtest 
lvtest@192.168.56.101 ' s password:
id_rsa_initram.pub 100%   396      0.4KB / s 00:00

In order for us to access the server, we add (on the server) the client created public key to the “Authorized Keys” file of Dropbear:

lvtest @ ubuntu: ~ $ sudo su
root @ ubuntu: / home / lvtest # cat id_rsa_initram.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys

Now the server can be restarted and a connection test carried out with the key pair just created:

client @ test: ~ $ ssh -i .ssh / dropbear / id_rsa_initram -o UserKnownHostsFile = .ssh / dropbear / known_hosts root@192.168.56.101
The authenticity of host '192.168.56.101 (192.168.56.101)' can not be established. 
RSA key fingerprint is 03: 92: 1f: 35: fc: e2: 2b: db: ac: 9b: b7: 03: ba: 37: e5: f1. 
Are you sure you want to continue connecting (yes / no)? yes 
Warning: Permanently added ' 192.168.56.101 ' (RSA) to the list of known hosts.


BusyBox v1.21.1 (Ubuntu 1: 1.21.0-1ubuntu1) built-in shell (ash) 
Enter ' help '  for a list of built-in commands.

#

So the test was successful and we get on the server a BusyBox shell, which we use later for unlocking the crypto-device.

Unlock the crypto device

If the connection test to Dropbear has been successful, the actual unlocking of the encrypted LVMs can be done. Due to a bug in Ubuntu’s Plymouth, however, there are still some lines left in

/ Usr / share / initramfs-tools / scripts / local-top / cryptroot

be commented out. Which lines are that can also be found in post # 5 under [1] (after line 289):

if  [ -z " $ c ryptkeyscript"  ] ;  then 
   cryptkey = "Unlocking the disk $ c ryptsource ( $ c rypttarget) \ nEnter passphrase:" 
   #if [-x / bin / plymouth] && plymouth --ping; then 
   # cryptkeyscript = "plymouth ask-for-password --prompt" 
   # cryptkey = $ (echo -e "$ cryptkey") 
   #else 
    cryptkeyscript = "/ lib / cryptsetup / askpass" 
   #fi 
  fi

Attention: After commenting out the lines, the unlocking of the crypto devices only works remotely and no longer locally! It is therefore essential that all previous settings have been checked (preferably individually and consecutively):

1. Successful installation
2. Network configuration of the device
3. Access to Dropbear via SSH with public-key authentication
4. Local unlocking of crypto-devices

If, for example, the configuration of the SSH server or the network device fails, a physical access to the server is required and the password must be entered with an attached keyboard. The patch of the Plymouth bug may therefore only be carried out if the other settings work safely!

Another possibility would be the creation of a hook script, but this variant was not verified by the author of this wiki article and is therefore only to be tested at your own risk. Finally, update the initramfs configuration again:

sudo update-initramfs -u

Now we connect back to the server via SSH (Dropbear) and get to BusyBox Shell:

client @ test: ~ $ ssh -i .ssh / dropbear / id_rsa_initram -o UserKnownHostsFile = .ssh / dropbear / known_hosts root@192.168.56.101

BusyBox v1.21.1 ( Ubuntu 1: 1.21.0-1ubuntu1 ) built-in shell ( ash ) 
Enter 'help'  for a list of built-in commands.

There we unlock our encrypted LVMs with the following commands, whereby the password “encryptiontest” has to be replaced by the own one chosen when creating the crypto-device. For ensemble there are 2 possibilities:

• / Lib / cryptsetup / passfifo

# echo -n "encryptiontest"> / lib / cryptsetup / passfifo

• / Lib / cryptsetup / askpass

The variant without echo , and thus without the password appearing, looks like this:

# / lib / cryptsetup / askpass "passphrase:"> / lib / cryptsetup / passfifo 
passphrase:

For passphrase , the password must be entered.

Then the devices are unlocked and the server continues booting. Now runs on the server another, “conventional” SSH server (usually openssh), you can connect to this as usual. If an openssh server is already running when Dropbear is installed, Dropbear quits automatically after the server has completely booted. The command sequence can then be completed in one step:

ssh -i .ssh / dropbear / id_rsa_initram -o UserKnownHostsFile = .ssh / dropbear / known_hosts root@192.168.56.101 "echo -ne \" encryptiontest \ "> / lib / cryptsetup / passfifo"

Using a custom Known Hosts file is recommended because Dropbear uses a different fingerprint than the openssh server. If Dropbear and openssh do not use different “Known-Host” files, the following warning will appear:

ssh -i .ssh / dropbear / id_rsa_initram root@192.168.56.101 "echo -ne \" encryptiontest \ "> / lib / cryptsetup / passfifo"
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

This warning has its origin in that now the standard file “~ / .ssh / known_hosts” is used, in which the fingerprint of the openssh server is. It is therefore advisable for the Dropbear and openssh servers to use different “Known Host” files.