In addition,\u00a0RSA\u00a0keys\u00a0are automatically\u00a0generated\u00a0for public-key authentication.\u00a0These are stored in the following directory:<\/p>\n
\n
lvtest @ ubuntu: ~ $ ls \/etc\/initramfs-tools\/root\/.ssh\/\r\nauthorized_keys id_rsa id_rsa.pub\r\n<\/pre>\n<\/div>\nThe private key “id_rsa” can be used to access the server from the client.\u00a0He has to be transferred to the client via a secure path.<\/p>\n
Attention:<\/b>\u00a0The private key of Dropbear is unencrypted, if the file “id_rsa” should be stolen by an attacker, it has direct access to the Dropbear SSH server.\u00a0Since Dropbear is compatible with openssh keys, it is recommended that you create your own SSH key pair on the client and then add the public key to the “Authorized Keys” file of Dropbear (\u00a0see also SSH_Key_Login\u00a0) (on the client):<\/p>\n\n
ssh-keygen \r\nGenerating public \/ private rsa key pair.\r\nEnter file in which to save the key (<\/span> \/home\/client\/.ssh\/id_rsa )<\/span> : \/home\/client\/.ssh\/dropbear\/id_rsa_initram\r\nEnter passphrase (<\/span> empty for<\/span> no passphrase )<\/span> :\r\nEnter same passphrase again: \r\nYour identification has been saved in \/home\/client\/.ssh\/dropbear\/id_rsa_initram.\r\nYour public key has been saved in \/home\/client\/.ssh\/dropbear\/id_rsa_initram.pub.\r\n<\/pre>\n<\/div>\nImportant:<\/b>\u00a0The use of a password ensures the encryption of the private key using the AES-CBC 128-bit key.\u00a0The private key can thus only be used after the password has been entered successfully, since the file “id_rsa_initram” is not available in plain text.\u00a0The public key can now be copied to the server:<\/p>\n\n
client @ test: ~ $ scp \/home\/client\/.ssh\/dropbear\/id_rsa_initram.pub lvtest@192.168.56.101: \/ home \/ lvtest \r\nlvtest@192.168.56.101 '<\/span> s password:\r\nid_rsa_initram.pub 100% 396<\/span> 0.4KB \/ s 00:00\r\n<\/pre>\n<\/div>\nIn order for us to access the server, we add (on the server) the client created public key to the “Authorized Keys” file of Dropbear:<\/p>\n
\n
lvtest @ ubuntu: ~ $ sudo su\r\nroot @ ubuntu: \/ home \/ lvtest # cat id_rsa_initram.pub >> \/etc\/initramfs-tools\/root\/.ssh\/authorized_keys\r\n<\/pre>\n<\/div>\nNow the server can be restarted and a connection test carried out with the key pair just created:<\/p>\n
\n
client @ test: ~ $ ssh -i .ssh \/ dropbear \/ id_rsa_initram -o UserKnownHostsFile <\/span>=<\/span> .ssh \/ dropbear \/ known_hosts root@192.168.56.101\r\nThe authenticity of host '192.168.56.101 (192.168.56.101)'<\/span> can not be established. <\/span>\r\nRSA key fingerprint is 03: 92: 1f: 35: fc: e2: 2b: db: ac: 9b: b7: 03: ba: 37: e5: f1. <\/span>\r\nAre you sure you want to continue connecting (yes \/ no)? yes <\/span>\r\nWarning: Permanently added '<\/span> 192.168.56.101 ' (RSA) to the list of known hosts.<\/span>\r\n\r\n\r\nBusyBox v1.21.1 (Ubuntu 1: 1.21.0-1ubuntu1) built-in shell (ash) <\/span>\r\nEnter '<\/span> help ' <\/span> for<\/span> a list of built-in commands.\r\n\r\n#<\/span>\r\n<\/pre>\n<\/div>\nSo the test was successful and we get on the server a BusyBox shell, which we use later for unlocking the crypto-device.<\/p>\n
<\/span>Unlock the crypto device<\/span><\/span><\/h2>\nIf the connection test to Dropbear has been successful, the actual unlocking of the encrypted LVMs can be done.\u00a0Due to a bug in Ubuntu’s Plymouth, however, there are still some lines left in<\/p>\n
\n
\/ Usr \/ share \/ initramfs-tools \/ scripts \/ local-top \/ cryptroot\r\n<\/pre>\n<\/div>\nbe commented out.\u00a0Which lines are that can also be found in post # 5 under\u00a0[1]\u00a0(after line 289):<\/p>\n
\n
if <\/span> [<\/span> -z \" <\/span>$ c <\/span>ryptkeyscript\" <\/span> ] <\/span>; <\/span> then <\/span>\r\n cryptkey <\/span>= <\/span>\"Unlocking the disk <\/span>$ c <\/span>ryptsource ( <\/span>$ c <\/span>rypttarget) \\ nEnter passphrase:\" <\/span>\r\n #if [-x \/ bin \/ plymouth] && plymouth --ping; then <\/span>\r\n # cryptkeyscript = \"plymouth ask-for-password --prompt\" <\/span>\r\n # cryptkey = $ (echo -e \"$ cryptkey\") <\/span>\r\n #else <\/span>\r\n cryptkeyscript <\/span>= <\/span>\"\/ lib \/ cryptsetup \/ askpass\" <\/span>\r\n #fi <\/span>\r\n fi<\/span>\r\n<\/pre>\n<\/div>\nAttention:<\/b>\u00a0After commenting out the lines, the unlocking of the crypto devices only works remotely and no longer locally!\u00a0It is therefore essential that all previous settings have been checked (preferably individually and consecutively):<\/b><\/p>\n\n- Successful installation<\/li>\n
- Network configuration of the device<\/li>\n
- Access to Dropbear via SSH with public-key authentication<\/li>\n
- Local unlocking of crypto-devices<\/li>\n<\/ol>\n
If, for example, the configuration of the SSH server or the network device fails, a physical access to the server is required and the password must be entered with an attached keyboard.\u00a0The patch of the Plymouth bug may therefore only be carried out if the other settings work safely!<\/p>\n
Another possibility would be the creation of a hook script, but this variant was not verified by the author of this wiki article and is therefore only to be tested at your own risk.\u00a0Finally, update the initramfs configuration again:<\/p>\n
\n
sudo update-initramfs -u\r\n<\/pre>\n<\/div>\nNow we connect back to the server via SSH (Dropbear) and get to BusyBox Shell:<\/p>\n
\n
client @ test: ~ $ ssh -i .ssh \/ dropbear \/ id_rsa_initram -o UserKnownHostsFile <\/span>=<\/span> .ssh \/ dropbear \/ known_hosts root@192.168.56.101\r\n\r\nBusyBox v1.21.1 (<\/span> Ubuntu 1: 1.21.0-1ubuntu1 )<\/span> built-in shell (<\/span> ash )<\/span> \r\nEnter 'help' <\/span> for<\/span> a list of built-in commands.\r\n<\/pre>\n<\/div>\nThere we unlock our encrypted LVMs with the following commands, whereby the password “encryptiontest” has to be replaced by the own one chosen when creating the crypto-device.\u00a0For ensemble there are 2 possibilities:<\/p>\n
\n- \/ Lib \/ cryptsetup \/ passfifo<\/b><\/li>\n<\/ul>\n
# echo -n \"encryptiontest\"> \/ lib \/ cryptsetup \/ passfifo\r\n<\/pre>\n
\n- \/ Lib \/ cryptsetup \/ askpass<\/b><\/li>\n<\/ul>\n
The variant without\u00a0echo<\/i>\u00a0, and thus without the password appearing, looks like this:<\/p>\n# \/ lib \/ cryptsetup \/ askpass \"passphrase:\"> \/ lib \/ cryptsetup \/ passfifo \r\npassphrase:\r\n<\/pre>\nFor\u00a0passphrase<\/i>\u00a0, the password must be entered.<\/p>\n
Then the devices are unlocked and the server continues booting.\u00a0Now runs on the server another, “conventional” SSH server (usually openssh), you can connect to this as usual.\u00a0If an openssh server is already running when Dropbear is installed, Dropbear quits automatically after the server has completely booted.\u00a0The command sequence can then be completed in one step:<\/p>\n
\n
ssh -i .ssh \/ dropbear \/ id_rsa_initram -o UserKnownHostsFile <\/span>=<\/span> .ssh \/ dropbear \/ known_hosts root@192.168.56.101 \"echo -ne \\\" encryptiontest \\ \"> \/ lib \/ cryptsetup \/ passfifo\"<\/span>\r\n<\/pre>\n<\/div>\nUsing a custom Known Hosts file is recommended because Dropbear uses a different fingerprint than the openssh server.\u00a0If Dropbear and openssh do not use different “Known-Host” files, the following warning will appear:<\/p>\n
\n
ssh -i .ssh \/ dropbear \/ id_rsa_initram root@192.168.56.101 \"echo -ne \\\" encryptiontest \\ \"> \/ lib \/ cryptsetup \/ passfifo\"<\/span>\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@\r\n@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@\r\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\r\n<\/pre>\n<\/div>\nThis warning has its origin in that now the standard file “~ \/ .ssh \/ known_hosts” is used, in which the fingerprint of the openssh server is.\u00a0It is therefore advisable for the Dropbear and openssh servers to use different “Known Host” files.<\/p>\n","protected":false},"excerpt":{"rendered":"
A complete encryption of your own system is an excellent way to ensure the confidentiality of your own data.\u00a0The current Ubuntu installer offers a guided installation to encrypt the entire system with ”\u00a0encrypted LVMs\u00a0“.\u00a0For both the automated installation and the manual way, there are numerous detailed guides that explain the<\/p>\n","protected":false},"author":3,"featured_media":1255,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[3],"tags":[],"class_list":["post-1253","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorial-how-to"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/11\/dropbear-logo-walking_700_726_FFFFFF_c1.jpg?fit=700%2C726&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7ISfL-kd","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":850,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/how-to-work-your-mac-security\/","url_meta":{"origin":1253,"position":0},"title":"How to Work your Mac Security.","author":"Daniel Draga","date":"January 13, 2017","format":false,"excerpt":"Apple's Iphone Celebrated its 10th anniversary, so I've decided to articles, focusing on Apple's product. I hope you will enjoy these, readers. So, how exactly you work security on your Mac, here is how. Enable the OS X firewall The firewall in OS X is a network filter that\u00a0allows you\u2026","rel":"","context":"In "IT News"","block_context":{"text":"IT News","link":"https:\/\/www.virtono.com\/community\/category\/internet-and-technology-news\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/01\/mac-733178_960_720.jpg?fit=960%2C637&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/01\/mac-733178_960_720.jpg?fit=960%2C637&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/01\/mac-733178_960_720.jpg?fit=960%2C637&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/01\/mac-733178_960_720.jpg?fit=960%2C637&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":3507,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-install-lemp-stack-linux-nginx-mysql-and-php-on-ubuntu-22-04\/","url_meta":{"origin":1253,"position":1},"title":"How to install LEMP stack (Linux, Nginx, MySQL, and PHP) on Ubuntu 22.04","author":"George B.","date":"June 20, 2023","format":false,"excerpt":"Introduction The LEMP stack is a popular software stack for web development and hosting. It includes four major components: Linux, Nginx, MySQL, and PHP. Each component serves a specific purpose in powering dynamic websites and web applications. Linux is the operating system that serves as the LEMP stack's foundation. In\u2026","rel":"","context":"In "Tutorials"","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/06\/How-to-install-LEMP-stack-Linux-Nginx-MySQL-PHP-on-Ubuntu-22-04.png?fit=600%2C330&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/06\/How-to-install-LEMP-stack-Linux-Nginx-MySQL-PHP-on-Ubuntu-22-04.png?fit=600%2C330&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/06\/How-to-install-LEMP-stack-Linux-Nginx-MySQL-PHP-on-Ubuntu-22-04.png?fit=600%2C330&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":1246,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/set-up-password-authentication-with-active-directory-under-debian\/","url_meta":{"origin":1253,"position":2},"title":"Set up password authentication with Active Directory under Debian","author":"Daniel Draga","date":"November 6, 2017","format":false,"excerpt":"Centralized directory services such as OpenLDAP or Active Directory (AD) simplify\u00a0password management\u00a0for the administrator and the user.\u00a0In terms of Linux servers, the aspect of SSH\u00a0authentication\u00a0via AD\u00a0is especially\u00a0interesting.\u00a0From the point of view of IT security, this solution is also advantageous: Administrators no longer need to choose and manage different passwords for\u2026","rel":"","context":"In "Tutorials"","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/11\/password-wide.jpeg?fit=623%2C425&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/11\/password-wide.jpeg?fit=623%2C425&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/11\/password-wide.jpeg?fit=623%2C425&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":881,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/linux-security-privacy-on-linuxencryption\/","url_meta":{"origin":1253,"position":3},"title":"Linux Security: Privacy on Linux(Encryption)","author":"Daniel Draga","date":"January 26, 2017","format":false,"excerpt":"Security is an important but complex topic. So I'll be doing a series of articles, focusing on the principles and working of security of Linux. The challenge is that it\u2019s an ever-changing idea. Software we think of as secure can become insecure as hackers figure out how to break though\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/01\/linux-ransomware-wide.jpeg?fit=600%2C315&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/01\/linux-ransomware-wide.jpeg?fit=600%2C315&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/01\/linux-ransomware-wide.jpeg?fit=600%2C315&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":2141,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/disposable-linux-set-up-a-secure-system-for-guests\/","url_meta":{"origin":1253,"position":4},"title":"Disposable Linux: Set up a secure system for guests","author":"Shreyash Sharma","date":"December 14, 2020","format":false,"excerpt":"A live system is ideal if guests want to use the Internet or the youngsters do not yet have their own PC to look at holiday photos.\u00a0It does not allow system changes and is therefore also a candidate for secure banking. A live system, and even better a personally adapted\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2020\/12\/xenialpup.jpg?fit=800%2C450&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2020\/12\/xenialpup.jpg?fit=800%2C450&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2020\/12\/xenialpup.jpg?fit=800%2C450&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2020\/12\/xenialpup.jpg?fit=800%2C450&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":214,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/secure-socket-layer-ssl\/","url_meta":{"origin":1253,"position":5},"title":"Secure Socket Layer (SSL)","author":"Daniel Draga","date":"July 30, 2016","format":false,"excerpt":"SSL stands for Secure Socket Layer. Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. Responsible for the emergence\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/2.jpg?fit=376%2C286&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/1253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/comments?post=1253"}],"version-history":[{"count":1,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/1253\/revisions"}],"predecessor-version":[{"id":1254,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/1253\/revisions\/1254"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media\/1255"}],"wp:attachment":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media?parent=1253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/categories?post=1253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/tags?post=1253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}