Archive for June, 2014

SSH unlock encrypted Ubuntu 14.04 server

Friday, June 27th, 2014

With 14.04 this procedure has become really easy. Nevertheless some of the steps mentioned at http://hacksr.blogspot.de/2012/05/ssh-unlock-with-fully-encrypted-ubuntu.html are still necessary. Given you have set up your fully encrypted Ubuntu 14.04 server and your OpenSSH infrastructure with public keys and all running, there’s just a little more:

Install dropbear, a tiny ssh server that runs before the root partition on the server is decrypted

sudo apt-get install dropbear

Installation scripts will create/copy keys. Just edit

/etc/default/dropbear

and change

NO_START=1

to

NO_START=0

to make sure, dropbear starts on boot.

I then activated the root user

sudo passwd root

and copied the keys

sudo cp /etc/dropbear/dropbear_* /etc/initramfs-tools/etc/dropbear/

sudo cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/authorized_keys

You should now be able to login via ssh into a busybox shell. In order to decrypt the root partition just one script is needed. Edit

/etc/initramfs-tools/hooks/crypt_unlock.sh

and enter

#!/bin/sh

PREREQ="dropbear"

prereqs() {
echo "$PREREQ"
}

case "$1" in
prereqs)
prereqs
exit 0
;;
esac

. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions

if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
cat > "${DESTDIR}/bin/unlock" << EOF #!/bin/sh if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` exit 0 fi exit 1 EOF chmod 755 "${DESTDIR}/bin/unlock" mkdir -p "${DESTDIR}/lib/unlock" cat > "${DESTDIR}/lib/unlock/plymouth" << EOF #!/bin/sh [ "\$1" == "--ping" ] && exit 1 /bin/plymouth "\$@" EOF chmod 755 "${DESTDIR}/lib/unlock/plymouth" echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd

fi

save the file and then make the script executable

sudo chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

and update the initramfs

sudo update-initramfs -u

DONE!

After a reboot you should be able to

ssh root@serverip

and with

unlock

to boot your server.