With 14.04 this procedure has become really easy. Nevertheless some of the steps mentioned at http://hacksr.blogspot.de/2012/05/ssh-unlock-with-fully-encrypted-ubuntu.html are still necessary. Given you have set up your fully encrypted Ubuntu 14.04 server and your OpenSSH infrastructure with public keys and all running, there’s just a little more:
Install dropbear, a tiny ssh server that runs before the root partition on the server is decrypted
sudo apt-get install dropbear
Installation scripts will create/copy keys. Just edit
/etc/default/dropbear
and change
NO_START=1
to
NO_START=0
to make sure, dropbear starts on boot.
I then activated the root user
sudo passwd root
and copied the keys
sudo cp /etc/dropbear/dropbear_* /etc/initramfs-tools/etc/dropbear/
sudo cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/authorized_keys
You should now be able to login via ssh into a busybox shell. In order to decrypt the root partition just one script is needed. Edit
/etc/initramfs-tools/hooks/crypt_unlock.sh
and enter
#!/bin/sh
PREREQ="dropbear"
prereqs() {
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions
if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
cat > "${DESTDIR}/bin/unlock" << EOF
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
exit 0
fi
exit 1
EOF
chmod 755 "${DESTDIR}/bin/unlock"
mkdir -p "${DESTDIR}/lib/unlock"
cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
#!/bin/sh
[ "\$1" == "--ping" ] && exit 1
/bin/plymouth "\$@"
EOF
chmod 755 "${DESTDIR}/lib/unlock/plymouth"
echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
fi
save the file and then make the script executable
sudo chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh
and update the initramfs
sudo update-initramfs -u
DONE!
After a reboot you should be able to
ssh root@serverip
and with
unlock
to boot your server.