Luks unlock with SSH or USB
09 February 2015 on Linux, Luks, Ubuntu, Debian, Dropbear, SSH
Unlocking a full disk encrypted Ubuntu/Debian system with SSH or USB flash drive
I've started encryping my home server long before it was a next next next install option in Ubuntu and Debian. At some point I added USB unlocking with an old hacked up version of the script from How to setup passwordless disk encryption in Debian Etch to my system but had to retract the keys from the luks volume too often because of broken or lost flash drives. So I recently started looking into unlocking it from SSH for which there even was a howto included in the ubuntu distribution (/usr/share/doc/cryptsetup/README.remote.gz). Unfortunately this has been broken since 2010 when plymouth was introduced.
So I patched up the usb unlock script from How to setup passwordless disk encryption in Debian Etch to support unlocking from SSH, while maintaining support for entering the passphrase in plymouth, and wrote an install script which sets up the system to allow unlocking of full disk encrypted Ubuntu and Debian installs through console, USB-key or SSH.
Tested on:
- Ubuntu server 14.10 (no desktop)
- Debian 7.8 (no desktop)
Use at your own risk, I'm not responsable for any damage this script might do to your system, make backups, make sure you have a safe boot option, test it in a VM first... etc. etc.
Usage
- Install Ubuntu server or Debian with full disk encrypted LVM
sudo apt-get install -y git-core
git clone --depth 1 https://github.com/chadoe/luks-triple-unlock.git && cd luks-triple-unlock
chmod +x *.sh
sudo ./install.sh [keyfile], it will ask you for the passphrase for the luks drive, keyfile is a path to a file you want to use as a key for the luks volume, this file will be read from an USB flash drive ext(2/3/4)/fat32/ntfs partition on boot. If no keyfile provided on the commandline a file .keyfile will be generated in the current directory.
sudo reboot
Ways to unlock your machine
- from the console
- from SSH. Copy /etc/initramfs-tools/root/.ssh/id_rsa, this is the private key you need to log into dropbear (no password, root@machinename). When you connect it will ask you for the passphrase to unlock the machine.
- with an USB flash drive. Copy .keyfile (or the file you provided on the commandline to ./install.sh) to any ext(2/3/4)/fat32/ntfs partition on an USB flash drive. Stick it in the machine and boot, it should boot straight through.
source: https://martinvanbeurden.nl/blog/luks-unlock-with-ssh-or-usb/