How To Remotely Decrypt LUKS Encypted Partition Over SSH
Some Linux distributions allow you to install all of your partitions, save the boot partition, onto encrypted partitions. Doing this can be a big increase to the security of your data, should your computer be stolen, but can be an inconvenience when installed on a server that has no input devices connected. Fortunately, initramfs, the same program allowing you to boot an encrypted root partition in the first place, can also be configure to allow ssh connections.
All of the following must be done as root.
Static IP
Begin by setting a static IP address for the initramfs image.
Installing Software
In order to log in remotely to initramfs, two things are required. The first, is Busybox, a simple shell for Linux. The second is Dropbear, a lightweight ssh suite.
In order to install these on Debian, or a derivative thereof, use the following command
apt-get install busybox dropbear
Configure the initramfs Image for Remote Access
Open the file /etc/initramfs-tools/initramfs.conf
for editing.
Ensure that there is a line which reads BUSYBOX=y
and no line that reads BUSYBOX=n
Next, make sure that there isn’t a line DROPBEAR=n
, and that there is a line DROPBEAR=y
By enabling these options, when the initramfs image is recompiled, it will contain Busybox and Dropbear.
Adding SSH Keys to the Image
Now that the services that allow you to log on remotely are enabled, you need to add your SSH key to the image.
If you need to create a SSH key, go here
First, transfer your SSH key onto the computer with the initramfs image you are modifying.
Next, make sure that the .ssh directory, and the authorized_keys file exists for Dropbear, with the commannds
mkdir /etc/initramfs-tools/root/.ssh
touch /etc/initramfs-tools/root/.ssh/authorized_keys
Now, append your key to the authorized_keys file.
cat id_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys
Finally, give the file the proper permissions.
chmod 0600 authorized_keys
Creating the New Image
To generate the new initramfs image, simply run the command
update-initramfs -u
Logging into to Initramfs
If the IP Address of the Image is the Same as the Computer
If the image’s IP address is the same as that of the computer when it finishes the boot process, then you must make a secondary known_hosts file for SSH to use when it connects to the image.
Do this by creating the new file
touch ~/.ssh/known_hosts.boot
And logging into the image with the option for using an alternative known_hosts file for ssh
-o "UserKnownHostsFile=~/.ssh/known_hosts.boot"
The rest of the examples in this section will be for this configuration.
Entering Your Password
To login to initramfs, use the command
ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.boot" root@ipaddress
If you are using a different IP address for the image, your command could simply be
ssh root@ipaddress
Once logged in, you need to enter the password for the encrypted partition(s).
To do this, use the command
echo -ne yourpassword > /lib/cryptsetup/passfifo
Making the Decrypting Process Easier
In order to make the decryption process quicker, all the steps can be put together in a script.
The content of the script is below, or you simply may download the attached file.
Please note that this script is distributed under the terms of the GPL rather than the Creative Commons License.
#!/bin/bash
# Remote Decrypt. Remotely enters the password for a properly configured LUKS encrypted partition. Logs into the Busybox instance in initramfs. Takes the IP address or hostname of the image as an argument
# Copyright (C) 2011 Eugene Davis
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http: licenses="" www.gnu.org=""</http:>.
stty -echo #Turns off shell echoing so that what you type does not show, allowing the password to be hidden
read -p “Enter password for the encrypted volume: “ password #Saves the string that is the password
stty echo #turns on shell echoing so that what you type does show
echo
ssh -p 22 -o “UserKnownHostsFile=~/.ssh/known_hosts.boot” root@$1 “echo -ne "“$password”" >/lib/cryptsetup/passfifo” #Enters the password to decrypt the drive
Once you have downloaded or created the remote_decrypt file, make it executable by running the command
chmod +x remote_decrypt
If you then move it to a folder in your path, you will be able to run it from any directory. Otherwise, make sure you are in the same directory as the script, and run ./remote_decrypt. Make sure to use the hostname as an argument, in the format:
remote_decrypt ipaddress