Thesedays there is no reason not to encrypt your bootdisk: I would even say that you are acting negligently if you don’t.
There are moments where you cannot be physically present to decrypt a drive: For example in a server, a NAS or if you want to access your desktop PC remotely. Wouldn’t it be nice to be able to ssh into your machine in order to enter the encryption password? With dropbear
that’s possible.
NOTE: Dropbear seems to have been very actively developed over the last couple of years - a lot of guides you will find on the internet are outdated. This article is up-to-date as of the beginning of 2019.
What you need
This article assumes a up-to-date Debian or Ubuntu system - though similar ready to use initramfs packages are available for other systems. All steps have been tested on Debian 10 but should work on Ubuntu in exactly the same way.
Installating dropbear
Dropbear consists of 2 components:
dropbear
is a very lightweight SSH serverdropbear-initramfs
is a initramfs integration for thedropbear
SSH Server.
I have said initramfs a bunch without explaining what it does. For all intents and purposes initramfs can be thought of a micro-system that starts before you operating system that takes care of some plumbing (such as decrypting and mounting drives).
Configuring dropbear
With dropbear-initramfs
only minimal configuration is needed: The only thing you have to do in order to get everything to work is add the public key of your client device to /etc/dropbear-initramfs/authorized_keys
and run sudo update-initramfs -u
to update the initramfs image.
When rebooting the PCs IP-Address will be printend to the screen. You can now connect to the System using ssh root@{YOUR_IP}
and use cryptroot-unlock
in order to unlock your disks.
Configuring a static IP-Address
Of course, looking at the screen to get the IP Address defeats the purpose - thus we have to make sure that the PC uses a static IP-Address while in initramfs. This configuration is different from the one already present in (/etc/network/interfaces
or via NetworkManager) as it has to be present before the system is decrypted and booted.
To do that edit /etc/initramfs-tools/initramfs.conf
and add a line under the DEVICE=
line.
IP=192.168.0.30:192.168.0.1:255.255.255.0::enp5s0
This line is in the format IP=ipaddress::gateway::netmask::hostname:eth
- the hostname can be omitted.
After running sudo update-initramfs -u
again to update the initramfs image our PC will now boot using that static IP Address.
Avoid host key colissions on the client
If you regularly ssh into the machine you might notices SSH warning you about changing host keys - this is because openssh and dropbear are 2 separate SSH Keys with separate sets of host keys. Using the same key for both is not recommended as initramfs is not encrypted.
To avoid host key colissions you can configure a separate trusted hosts store in the ~/.ssh/config
of your client:
Host jo-desktop-unlock
Hostname 192.168.0.30
User root
UserKnownHostsFile ~/.ssh/known_hosts.initramfs
Extra: Only allow decryption
Dropbear drops you into a shell by default - this has the main disadvantage that you have to remember the cryptroot-unlock
command (there is no real help in the shell) which is error prone.
Luckily dropbear
has a way of running a specific command immediately after connecting. To immediately run the unlock command add the following to /etc/dropbear-initramfs/config
:
DROPBEAR_OPTIONS='-c cryptroot-unlock'