Unlocking Rootfs encryption over SSH

From Gentoo Wiki
Jump to:navigation Jump to:search

If you have followed Rootfs encryption and would like to unlock the root device remotely you can using Dropbear.

This document assumes you have configured encryption using Dracut with Systemd and booting using Grub.

Installation

Emerge

Install dropbear

root #emerge --ask net-misc/dropbear

Configure dropbear

Generate the dropbear server host keys

root #dropbear -R

Edit /etc/dropbear/authorized_keys with the SSH public key(s) you will use to access the machine.

Dracut module

Create the module directory

root #mkdir /usr/lib/dracut/modules.d/50dropbear

Create the script which starts dropbear replace 2222 with your port of choice.

root #cat <<EOT > /usr/lib/dracut/modules.d/50dropbear/dropbear-init.sh
#!/bin/sh
                                                 
echo "Starting Dropbear SSH server..."
dropbear -E -s -j -k -p 2222 &
EOT

Create the script used to unlock the disks.

root #cat <<EOT > /usr/lib/dracut/modules.d/50dropbear/unlock.sh
#!/bin/sh
for f in $(systemctl list-units | awk '/systemd.*activating/ {print $2}')
do       
    systemctl start "$f"
done
EOT

Create the script which will configure the module.

root #cat <<EOT > /usr/lib/dracut/modules.d/50dropbear/module-setup.sh
#!/bin/bash                          
                                                 
check() {                      
    return 0
}

depends() {
    echo "network"
}

install() {
    inst dropbear
    inst /etc/dropbear/authorized_keys /root/.ssh/authorized_keys
    inst /etc/dropbear/dropbear_ecdsa_host_key /etc/dropbear/dropbear_ecdsa_host_key
    inst /etc/dropbear/dropbear_ed25519_host_key /etc/dropbear/dropbear_ed25519_host_key
    inst /etc/dropbear/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key
    inst /usr/lib/dracut/modules.d/50dropbear/unlock.sh /bin/unlock
    inst_hook initqueue 50 "$moddir/dropbear-init.sh"
}
EOT

Updated the initramfs

root #dracut --force

Grub

Edit /etc/default/grub and configure the network parameters, this assumes you've already added rd.luks.uuid

FILE /etd/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="rd.luks.uuid=fbb4fc25-3fa7-4ff7-aeca-b867be758f80 rd.neednet=1 ip=xxx.xxx.xxx.xxx::yyy.yyy.yyy.yyy:zzz.zzz.zzz.zzz::eno1:none"

Replace xxx.xxx.xxx.xxx with the IP address of the machine, yyy.yyy.yyy.yyy with the gateway IP, zzz.zzz.zzz.zzz with the subnet. Replace eno1 with your network interface name.

Update the grub config

root #grub-mkconfig -o /boot/grub/grub.cfg

Usage

SSH into the machine

user $ ssh -p 2222 root@xxx.xxx.xxx.xxx

Then unlock the drive

root #unlock
-sh-5.2# unlock 
🔐 Please enter passphrase for disk DISK (luks-fbb4fc25-3fa7-4ff7-aeca-b867be758f80): (press TAB for no echo)

Dropbear will automatically close the connection once the passphrase is accepted.

Retrieved from "https://wiki.gentoo.org/index.php?title=Unlocking_Rootfs_encryption_over_SSH&oldid=1336089"