Ubuntu – How to one unlock a fully encrypted Ubuntu 11.10 system over SSH at boot

bootencrypted-partitionluksSecurityssh

In previous versions of Ubuntu, and current versions of Debian, you can unlock a fully encrypted system (using dmcrypt and LUKS) at boot time over SSH.

It was as easy as:

Installing the encrypted system using the Ubuntu alternate installer disk or normal Debian installer disk and choosing to encrypt the system.
After the system is installed, adding the dropbear and busybox packages.
Updating the initram-fs to authorize your ssh key.

At boot time, you'd just ssh to the machine, and do:

echo -ne "keyphrase" > /lib/cryptsetup/passfifo

The machine would then unlock and boot the encrypted system.

Using the exact same steps on Ubuntu 11.10, I can ssh to the machine, but /lib/cryptsetup/passfifo doesn't exist.

There appears to be no way to unlock the system over ssh. I'm not sure where to look to see if this functionality changed or if it was removed.

Best Answer

Just done some googling and it appears that plymouth gets in the way. If plymouth is there then on boot then cryptsetup will ask plymouth for the password and that means it's not using passfifo.

The best workaround appears to be putting the following script in the directory /usr/share/initramfs-tools/hooks/ After you've put it there you can chmod +x and then you have to update-initramfs -u. You should then be able to use the unlock command (which is created by the script below).

This relies on you using an ssh key to login with. If you want to use a password then you need to put SSHUSERPASS=<username> into /etc/initramfs-tools/initramfs.conf

#!/bin/sh

PREREQ="dropbear"

prereqs() {
    echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
    ;;
esac

. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions

if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
    cat > "${DESTDIR}/bin/unlock" <<-EOF
        #!/bin/sh
        if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot
        then
            /sbin/pkill cryptroot
            /sbin/pkill -f "plymouth ask-for-pass"
            /sbin/pkill cryptsetup
            exit 0
        fi
        exit 1
    EOF
    chmod 755 "${DESTDIR}/bin/unlock"

    mkdir -p "${DESTDIR}/lib/unlock"
    cat > "${DESTDIR}/lib/unlock/plymouth" <<-EOF
        #!/bin/sh
        [ "\$1" == "--ping" ] && exit 1
        /bin/plymouth "\$@"
    EOF
    chmod 755 "${DESTDIR}/lib/unlock/plymouth"

    # Enable password login
    if [ -n "$SSHUSERPASS" ]
    then
        sed -n "s/^${SSHUSERPASS}:/root:/p" /etc/shadow > "${DESTDIR}/etc/shadow"
        chmod 640 "${DESTDIR}/etc/shadow"
    fi
fi

Related Solutions

Ubuntu – Mount a LUKS partition at boot

Seems that I needed to edit the /etc/crypttab file, which is the crypto equivalent to fstab, and add the following line:

# create a /dev/mapper device for the encrypted drive
home    /dev/sda2       none luks

And add the following to /etc/fstab:

# /home LUKS
/dev/mapper/home /home ext4 rw 0 0

Now I get two password prompts at boot, as needed.

Ubuntu – Full System encryption with LUKS on headless server – unlock with dropbear and busybox. How

This is more a comment than an answer, sorry. But since you didn't get any replies yet, I wanted to write something anyway.

As for how does it even work:

In the Initramfs you usually have one master process (usually a busybox based /init shell script) which is responsible for making the root partition available before handing off the boot process to the real init system of your Ubuntu install.

In case of dropbear in Initramfs, that is a separate process started by /init. Logging into dropbear you get a shell which is yet another process. All the while the original /init has to be running and waiting for something, in this case the LUKS password.

So what the /init script most likely does here, once it started dropbear, is create a named pipe, or fifo, i.e. the /lib/cryptsetup/passfifo. And then it reads from that named pipe. This read will block until there actually is something to read, so that's how /init hangs and waits for input.

Then some years later you log into dropbear and do your echo passphrase > /lib/cryptsetup/passfifo, at which point /init wakes up from its slumber and resumes to unlock LUKS and go on with the rest of the boot process.

And that's basically the general idea of how it works. If there is no documentation for it you would have to read the shell script.

As for a GPG encrypted key in Initramfs, I'm sure this is the standard method in Ubuntu somehow, probably to be set up via /etc/crypttab. Did you check the wiki for a howto?

It certainly would require GPG to be included in the Initramfs. but I outlined an alternative approach here which could be made to work without additional dependencies:

How do I use dm-crypt (LUKS) with GnuPG to use two-factor for FDE?

The problem with this is of course that it is not standard, so while it could be simpler in theory it might actually be harder to set up.

Best Answer

Related Solutions

Ubuntu – Mount a LUKS partition at boot

Ubuntu – Full System encryption with LUKS on headless server – unlock with dropbear and busybox. How

Related Question