SSH – How to Open a Port Early in Boot Process to Unlock LUKS

luksnetworkingssh

I have a fully encrypted server running Debian 7 and have set up dropbear and busybox to unlock the LUKS container via SSH (as described in this tutorial and in this U&L answer).

Unfortunately, whenever I try and SSH to the server (over the LAN) at reboot, I get a "Connection refused" error. I have tried telnet and nmap to the default port (22) and both say the port is closed.

The server has a ufw rule to accept all traffic from the LAN:

Anywhere         ALLOW       192.168.1.0/24

I have tried changing the port that dropbear listens on in /etc/defaults/dropbear but ssh and telnet are still refused connections¹.

How can I ensure that a port is open at that stage in the boot process so that I can connect to unlock the LUKS container?

Disabling the firewall makes no difference: nmap shows all ports still closed.

Update 2/14

I added break=premount to the kernel line and had a poke around in the initramfs. dropbear has started, but the network is not up at that point. After exiting, the network comes up and boot continues until the prompt to unlock the LUKS device.

At this point, the network is up, and the host has been assigned the correct IP address, but port 22 is still closed.

The IP line in /etc/initramfs-tools/intiramfs.conf I am using is:

export IP=192.168.1.200::192.168.1.1:255.255.255.0::eth0:off

Consistent with the directions in /usr/share/doc/cryptsetup/README.remote.gz I have tried just adding the device option, but that is not sufficient to bring the network up and obtain a dhcp lease.

Update 11/10/14

Karl's answer was what was required: setting up /etc/initramfs-tools/conf.d/cryptroot was the key:

target=md1_crypt,source=UUID=8570d12k-ccha-4985-s09f-e43dhed9fa2a

This guide also proved more up-to-date and relevant (and successful).

Best Answer

I got this same problem a few weeks ago (Debian Wheezy 7.6) and after some days of troubleshooting I found out that there was a config file missing which was preventing to the cryptroot script on init-top to run correctly, hence it was not stopping to ask the password via ssh, killing the dropbear at the end of the sequence (init-bottom).

The config file is called cryptroot and should be under /etc/initramfs-tools/conf.d/ If I am not mistaken that config file should have been created automatically during install (I have read just one tutorial talking about that config file) but somehow it did not (tested in a physical server and in a VM, same OS and versions)

It took me a couple of tries to configure it properly, since I could not find the proper syntax at that time. My cryptroot config file is as follows:

target=crypt-root,source=/dev/vg0/root,lvm=root

Once created the config file just update the initramfs and try again:

update-initramfs -u

Related Solutions

Ssh – How to decrypt an encrypted container via ssh without entering a passphrase while requiring some client authentication

I did something similar to this once with a remote encfs where I stored backups from my local PC. Maybe this will help. I was using Ubuntu with gnome-keyring at the time.

dbus_session.sh

#!/bin/bash
# This will grab the appropriate environment variables to connect to the 
# gnome-keyring via dbus for the currently logged in user
# shouldn't be necessary if you're running from an xterm in gnome
$(sed 's/^\([^#]\)/export \1/' ~/.dbus/session-bus/*-0 | grep -v ^#)

keyring_helper.py

#!/usr/bin/python
import sys
import keyring

if len(sys.argv) < 5:
    print "Usage: keyring_helper.py get|set name server protocol [password]"
    sys.exit(1)

k = keyring.Keyring(sys.argv[2], sys.argv[3], sys.argv[4])

if sys.argv[1] == "get":
    c = k.get_credentials()
    print c[1]
elif sys.argv[1] == "set":
    k.set_credentials((sys.argv[2], sys.argv[5]));

keyring.py

backup.sh

#!/bin/bash
. "$(dirname "$0")"/dbus_session.sh
cd /home/mike/misc/scripts

if ssh polaris mountpoint -q ~/mnt/; then
  echo 1>&2 Filesystem already mounted.
  exit 1
fi

# Take password from gnome-keyring and store in FIFO on polaris
./keyring_helper.py get mike polaris enc_backups 2>/dev/null |ssh polaris 'cat >~/passwd' &

# Mount the encrypted filesystem
ssh polaris 'nice -n 19 encfs -f -i 5 --extpass=cat ~/enc_backups/ ~/mnt/ <~/passwd' &

# Wait for the mount to complete
ssh polaris 'while ! mountpoint -q ~/mnt/; do if [ $((I++)) -gt 15 ]; then exit 1; fi; sleep 1; done'

if [ $? -ne 0 ]; then
  echo 1>&2 Mount failed.
  exit 2
fi

# Transfer data
rsync -az --delete --bwlimit 45 ~/misc /array/Dropbox/documents /array/pictures polaris:mnt/

# Unmount the encrypted filesystem
ssh polaris fusermount -u mnt

# Wait for child processes to exit
wait

The initial setup is pretty simple, do a mkfifo passwd on your remote server and keyring_helper.py set <name> <server> <protocol> on your desktop. Once that's complete, your desktop should write your password from the keyring to the fifo where a remote truecrypt process will read it via stdin.

How to open multiple LUKS volumes with key entered in initramfs

You could put the password in a file and re-use that with the --key-file parameter. Using a random keyfile instead of a plaintext passphrase in that setup may be preferable.

echo -n password > pwfile
for luks in md1 md2 md3
do
    cryptsetup luksOpen --key-file=pwfile /dev/"$luks" luks"$luks"
done

Personally I used a slightly different approach with LUKS encrypted keyfiles:

In this setup, the single passphrase unlocks a keyfile store which contains random keys for various other LUKS containers. This is particularly useful for /boot on USB setups, so /boot can't be tampered with and a hardware keylogger alone is not sufficient to get the keys for the internal disks.