Decrypting boot drives remotely using dropbear

Thesedays there is no reason not to encrypt your bootdisk: I would even say that you are acting negligently if you don’t.

There are moments where you cannot be physically present to decrypt a drive: For example in a server, a NAS or if you want to access your desktop PC remotely. Wouldn’t it be nice to be able to ssh into your machine in order to enter the encryption password? With dropbear that’s possible.

NOTE: Dropbear seems to have been very actively developed over the last couple of years - a lot of guides you will find on the internet are outdated. This article is up-to-date as of the beginning of 2019.

What you need

This article assumes a up-to-date Debian or Ubuntu system - though similar ready to use initramfs packages are available for other systems. All steps have been tested on Debian 10 but should work on Ubuntu in exactly the same way.

Installating dropbear

Dropbear consists of 2 components: - dropbear is a very lightweight SSH server - dropbear-initramfs is a initramfs integration for the dropbear SSH Server.

I have said initramfs a bunch without explaining what it does. For all intents and purposes initramfs can be thought of a micro-system that starts before you operating system that takes care of some plumbing (such as decrypting and mounting drives).

Configuring dropbear

With dropbear-initramfs only minimal configuration is needed: The only thing you have to do in order to get everything to work is add the public key of your client device to /etc/dropbear-initramfs/authorized_keys and run sudo update-initramfs -u to update the initramfs image.

When rebooting the PCs IP-Address will be printend to the screen. You can now connect to the System using ssh root@{YOUR_IP} and use cryptroot-unlock in order to unlock your disks.

Configuring a static IP-Address

Of course, looking at the screen to get the IP Address defeats the purpose - thus we have to make sure that the PC uses a static IP-Address while in initramfs. This configuration is different from the one already present in (/etc/network/interfaces or via NetworkManager) as it has to be present before the system is decrypted and booted.

To do that edit /etc/initramfs-tools/initramfs.conf and add a line under the DEVICE= line.

IP=192.168.0.30:192.168.0.1:255.255.255.0::enp5s0

This line is in the format IP=ipaddress::gateway::netmask::hostname:eth - the hostname can be omitted.

After running sudo update-initramfs -u again to update the initramfs image our PC will now boot using that static IP Address.

Avoid host key colissions on the client

If you regularly ssh into the machine you might notices SSH warning you about changing host keys - this is because openssh and dropbear are 2 separate SSH Keys with separate sets of host keys. Using the same key for both is not recommended as initramfs is not encrypted.

To avoid host key colissions you can configure a separate trusted hosts store in the ~/.ssh/config of your client:

Host jo-desktop-unlock
	Hostname 192.168.0.30
	User root
	UserKnownHostsFile ~/.ssh/known_hosts.initramfs

Extra: Only allow decryption

Dropbear drops you into a shell by default - this has the main disadvantage that you have to remember the cryptroot-unlock command (there is no real help in the shell) which is error prone.

Luckily dropbear has a way of running a specific command immediately after connecting. To immediately run the unlock command add the following to /etc/dropbear-initramfs/config:

DROPBEAR_OPTIONS='-c cryptroot-unlock'