There are many guides out there that show how you can use dropbear-initramfs to remotely unlock a Linux server with an encrypted drive via SSH. The thing is however that that this only works when you have encrypted your root filesystem. This is usually your best option, but sometimes you are setting up a VM on a platform where that is simply not possible.

In such cases, your best option is likely to store your sensitive data inside a file that acts as an encrypted “virtual drive”. Here, dropbear-initramfs fails because the system swiftly boots into its unencrypted root filesystem and then jumps straight into Systemd. Therefore, we will instead need to run Dropbear as a Systemd service to achieve similar functionality.

This guide briefly describes how that can be achieved on Ubuntu Server 24.04 LTS, but the similar steps should likely work on other distros too.

Setup SSH Access

First we’ll want to add an SSH key to our VM in order to simplify logging in as root. The following steps have been adapted from https://blog.gradiian.io/migrating-to-cockpit-part-i.

Run the following on your local machine to generate a new key:

ssh-keygen -t ed25519 -f ~/.ssh/unlock_dropbear
scp ~/.ssh/id_dropbear.pub user@10.10.24.10:
copy

Then SSH into the remote machine and save the key there:

ssh user@10.10.24.10
sudo su
cat key.pub >> /root/.ssh/authorized_keys
exit
copy

Create An Encrypted Drive

The following steps have been adapted from https://opensource.com/article/21/4/linux-encryption.

Run the following commands on the remote machine to create a 30 GiB (or whatever size you need) “loop device” that will be used as our encrypted drive:

dd if=/dev/urandom of=vaultfile.img bs=1G count=30
cryptsetup --verify-passphrase luksFormat vaultfile.img
sudo cryptsetup open --type luks vaultfile.img vault
sudo mkfs.ext4 -L vault /dev/mapper/vault
sudo mount /dev/mapper/vault /mnt/vault
copy

Unlock The Drive During Startup

Append the following to the two specified files to automatically unlock the encrypted drive during startup:

/etc/crypttab

vault   /home/user/vaultfile.img    none    luks,noauto
copy

This will ensure that Systemd tries to unlock our volume automatically.

/etc/fstab

/dev/mapper/vault       /mnt/vault      ext4    defaults,nofail 0 2
copy

This will ensure that Systemd mounts the volume after unlocking it. The volume will be mounted at “/mnt/vault” so any files you place in that directory will be encrypted (if the mounting process succeeds).

Run Dropbear During Startup

Create the following two files with the specified contents so that we have Dropbear available during startup:

/etc/systemd/system/dropbear-early.service

[Unit]
Description=Start Dropbear to allow for vault volume unlocking
DefaultDependencies=no
After=network.target
Requires=network.target
Before=systemd-cryptsetup@vault.service
Conflicts=dropbear.service

[Service]
ExecStart=/usr/sbin/dropbear -p 2222 -F -c systemd-tty-ask-password-agent
Restart=on-failure
RestartSec=1s
TimeoutSec=600

[Install]
WantedBy=sysinit.target
copy

This will ensure that Dropbear is launched early in the startup process so that you have a way to remotely enter your drive unlock passphrase via SSH. Since we have added “-c systemd-tty-ask-password-agent” as a flag, this SSH console can only do that. Also note that we are running Dropbear on port 2222 so that it does not clash with the normal SSH server that will want to listen on port 22.

/etc/systemd/system/dropbear-cleanup.service

[Unit]
Description=Stop Dropbear after successful vault volume unlock
After=systemd-cryptsetup@vault.service
Requires=systemd-cryptsetup@vault.service

[Service]
Type=oneshot
ExecStart=/bin/systemctl stop dropbear-early.service

[Install]
WantedBy=multi-user.target
copy

This will ensure that the Dropbear server is killed after we have unlocked the drive since it is not longer needed at this point. This should save some resources, but more importantly, it will reduce the attack surface of your system.

Now run the following commands to setup these services:

sudo apt-get install dropbear
sudo systemctl disable dropbear
sudo update-initramfs -u
sudo systemctl enable dropbear-early
sudo systemctl enable dropbear-cleanup
copy

Here it is important to disable the default dropbear.service since it will clash with the standard ssh.service.

Remote Unlocking

Now after rebooting the remote machine you can unlock the remote drive by running the following on your local machine:

ssh -i ~/.ssh/unlock_dropbear -p 2222 root@10.10.24.10
copy

After typing the passphrase, the SSH session will end and the system will finish booting. After a few moments, you can then login as your own user on the standard SSH port again.

Extra Security

Here we have set things up so that you can SSH into Dropbear as root. This is the simplest solution, but if you prefer the additional security of not allowing root login via SSH, you can also use a different user than root. In this case, you will need to “sudo” to be able to run “systemd-tty-ask-password-agent” though, so dropbear-early.service would need to be modified accordingly. Alternatively, you could opt to only disallow login for the root user on the standard SSH server.

Comments

Comments are hosted on GitHub