English | 
DeutschRemotely Unlock Fully Encrypted Debian Squeeze
Want to support HowtoForge? Become a subscriber!
Remotely Unlock Fully Encrypted Debian SqueezeAuthor: Stephan Jau IntroductionIn the past I have written several howtos for remotely unlocking fully encrypted Debian installations. With the advent of Debian Squeeze, the developers have integrated a simple way to do so. Most stuff is provided directly by Debian itself - meaning you don't need 3rd party scripts anymore. However it still involves a few steps which I describe below. Also I provide you with a bash script that will do all the steps automatically. I recommend to test the individual steps and the script first in a VM to see how it goes.
1. Install Necessary Packagesapt-get install dropbear busybox
2. Edit /etc/initramfs-tools/initramfs.confSet the following parameters to the values below: BUSYBOX=y DROPBEAR=y DEVICE=eth0 IP=10.0.0.99::10.0.0.1:255.255.255.0::eth0:off Of course select your appropriate network device on which you want to connect to and set your according IP address, gateway and subnet mask. Those settings will only have an effect during reboot to reach the dropbear ssh server. If your machine usually uses IP address 10.0.0.43 you can still set it to 10.0.0.99. The .99 address will then only be available for remote unlocking. Once it's unlocked and the normal boot process continues, it will use the real address then. However I prefer to always use the same IP address.
3. Create Host Keys In /etc/initramfs-tools/etc/dropbear/Upon installation of dropbear it should have created according host keys. However to make sure that they really exist, we're going to remove the existing ones and recreate them. rm /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
4. Create Private And Public KeysFor authenticating with dropbear, we'll create a new pair of private and public keys. So they don't mix up with the ones available when the system is booted. rm -Rf /etc/initramfs-tools/root/.ssh In this example you can see that I named them "reboo". You can chose any name for them, you'll just have to be sure to alter everything accordingly. In the provided bash script, you can set a prefix to name them to your wishes. I suggest to use the hostname as prefix so you know what keypair belongs to which machine.
5. Update initramfsupdate-initramfs -u
6. SCP The Private Key To Local MachineOn your local machine, not the encrypted remote machine, run the following command: scp root@REMOTE:/root/reboot/reboot_rsa ~/.ssh/ That will copy the previously generated private key to your local machine. You need the private key to unlock the remote machine upon reboot.
7. Create Unlock Script On Local MachineCreate a local shell script file with the following content. Of course replace YOURENCRYPTIONPASSWORD with the actual password to unlock the remote machine. ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.reboot" -i ~/.ssh/reboot_rsa root@REMOTE "echo -ne \"YOURENCRYPTIONPASSWORD\" >/lib/cryptsetup/passfifo"
8. Test ItNow you have the REMOTE encrypted machine prepared, you have stored the private key on your local machine and you created a little script to login into the remote machine and provide the LUKS password to it. Reboot now your remote encrypted machine and when it asks for the encryption password, just run that script created in step 7 on your local machine. To read more about it, you can find the info in the /usr/share/doc/cryptsetup/README.remote.gz file.
Bash ScriptAs mentioned at the beginning, I also provide you with a bash script that does all the steps. Simply download the attached bash script, put it onto your encrypted Debian, edit the top part and set your prefix, network device and network settings. Save it, make it executable and run it as root. Bash script: debian_crypto
|
Recent comments
1 day 8 hours ago
1 day 8 hours ago
1 day 13 hours ago
1 day 20 hours ago
1 day 20 hours ago
1 day 22 hours ago
2 days 2 hours ago
2 days 9 hours ago
2 days 12 hours ago
2 days 14 hours ago