Ubuntu – Full System encryption with LUKS on headless server – unlock with dropbear and busybox. How

Just done some googling and it appears that plymouth gets in the way. If plymouth is there then on boot then cryptsetup will ask plymouth for the password and that means it's not using passfifo.

The best workaround appears to be putting the following script in the directory /usr/share/initramfs-tools/hooks/ After you've put it there you can chmod +x and then you have to update-initramfs -u. You should then be able to use the unlock command (which is created by the script below).

This relies on you using an ssh key to login with. If you want to use a password then you need to put SSHUSERPASS=<username> into /etc/initramfs-tools/initramfs.conf

#!/bin/sh

PREREQ="dropbear"

prereqs() {
    echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
    ;;
esac

. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions

if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
    cat > "${DESTDIR}/bin/unlock" <<-EOF
        #!/bin/sh
        if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot
        then
            /sbin/pkill cryptroot
            /sbin/pkill -f "plymouth ask-for-pass"
            /sbin/pkill cryptsetup
            exit 0
        fi
        exit 1
    EOF
    chmod 755 "${DESTDIR}/bin/unlock"

    mkdir -p "${DESTDIR}/lib/unlock"
    cat > "${DESTDIR}/lib/unlock/plymouth" <<-EOF
        #!/bin/sh
        [ "\$1" == "--ping" ] && exit 1
        /bin/plymouth "\$@"
    EOF
    chmod 755 "${DESTDIR}/lib/unlock/plymouth"

    # Enable password login
    if [ -n "$SSHUSERPASS" ]
    then
        sed -n "s/^${SSHUSERPASS}:/root:/p" /etc/shadow > "${DESTDIR}/etc/shadow"
        chmod 640 "${DESTDIR}/etc/shadow"
    fi
fi

You can read more in this post on the ubuntuforums, this launchpad bug and the german post I nicked most of this from.

I do the same thing, however I'm afraid my answer won't be satisfactory, as for various reasons I went with a completely custom Initramfs.

Instead of GnuPG, which is an extra binary that has to be included in the Initramfs (and in case of GnuPG-2, a rather complex one), I simply used what's already there. And that's obviously dm-crypt/LUKS.

So suppose you have a keyfile. Preferably one with random data.

# dd if=/dev/urandom of=keyfile count=1
1+0 records in
1+0 records out
512 bytes (512 B) copied, 0.000189802 s, 2.7 MB/s

Add encryption for it with LUKS (feel free to add your cipher settings of choice).

# truncate -s 2M keyfile.luks
# cryptsetup luksFormat keyfile --header keyfile.luks

WARNING!
========
This will overwrite data on keyfile.luks irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: bananas
Verify passphrase: bananas

Now you have a keyfile (512 byte) and a keyfile.luks (2MB, which cryptsetup for some reason needs to write the 192k LUKS header). Since the Initramfs will be compressed anyway, that is not too bad (still smaller than GnuPG).

Now you can decrypt the keyfile:

# cryptsetup luksOpen keyfile --header keyfile.luks lukskey
Enter passphrase for keyfile: bananas

And you have 512 byte of random data in /dev/mapper/lukskey. (You may write to it if you want to change it, so we could have initialized the file with zeroes earlier.)

# blockdev --getsize64 /dev/mapper/lukskey
512

In Initramfs init you could then proceed to open the real LUKS volume with it (assuming you added the key first).

cryptsetup --key-file=/dev/mapper/lukskey luksOpen /dev/yourdisk luksyourdisk
cryptsetup luksClose lukskey # clean up

This approach makes GnuPG entirely superfluous, plus you get all LUKS advantages, such as multiple passphrases for the key, cipher of your choice, et cetera. Not to mention a nice (mostly regular) password prompt with multiple retries.