Archive for June 27th, 2014

SSH unlock encrypted Ubuntu 14.04 server

Friday, June 27th, 2014

With 14.04 this procedure has become really easy. Nevertheless some of the steps mentioned at http://hacksr.blogspot.de/2012/05/ssh-unlock-with-fully-encrypted-ubuntu.html are still necessary. Given you have set up your fully encrypted Ubuntu 14.04 server and your OpenSSH infrastructure with public keys and all running, there’s just a little more:

Install dropbear, a tiny ssh server that runs before the root partition on the server is decrypted

sudo apt-get install dropbear

Installation scripts will create/copy keys. Just edit

/etc/default/dropbear

and change

NO_START=1

to

NO_START=0

to make sure, dropbear starts on boot.

I then activated the root user

sudo passwd root

and copied the keys

sudo cp /etc/dropbear/dropbear_* /etc/initramfs-tools/etc/dropbear/

sudo cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/authorized_keys

You should now be able to login via ssh into a busybox shell. In order to decrypt the root partition just one script is needed. Edit

/etc/initramfs-tools/hooks/crypt_unlock.sh

and enter

#!/bin/sh

PREREQ="dropbear"

prereqs() {
echo "$PREREQ"
}

case "$1" in
prereqs)
prereqs
exit 0
;;
esac

. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions

if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
cat > "${DESTDIR}/bin/unlock" << EOF #!/bin/sh if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` exit 0 fi exit 1 EOF chmod 755 "${DESTDIR}/bin/unlock" mkdir -p "${DESTDIR}/lib/unlock" cat > "${DESTDIR}/lib/unlock/plymouth" << EOF #!/bin/sh [ "\$1" == "--ping" ] && exit 1 /bin/plymouth "\$@" EOF chmod 755 "${DESTDIR}/lib/unlock/plymouth" echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd

fi

save the file and then make the script executable

sudo chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

and update the initramfs

sudo update-initramfs -u

DONE!

After a reboot you should be able to

ssh root@serverip

and with

unlock

to boot your server.