Remote Unlock your LUKS-encrypted Hard Drive

Updated for Ubuntu 22.04

  1. Install Software

    sudo apt update
    sudo apt -y upgrade
    sudo apt install -y busybox dropbear*
    
  2. Create and add key

    ssh-keygen -b 4096 -t rsa -f ~/luks_unlock_key -N=""
    

    then add your public key (most of the time ~/.ssh/id_rsa.pub) in the file /etc/dropbear/initramfs/authorized_keys.

    sudo cat ~/lucks_unlock_key.pub >> /etc/dropbear/initramfs/authorized_keys
    

    or, if you need to do it as root:

    sudo -i
    sudo echo "mypublickeydata" >> /etc/dropbear/initramfs/authorized_keys
    exit
    
  3. Update config (optional)

    sudo nano /etc/dropbear/initramfs/dropbear.conf
    

    Add these options:

    • -I - disconnect time
    • -j - disable local ssh port forwarding
    • -k - disable remote ssh port forwarding
    • -p - listen on port 2222
    • -s - disable password logins
    #DROPBEAR_OPTIONS="-I 180 –j –k –p 2222 -s"
    DROPBEAR_OPTIONS="-p 2222"
    
  4. Set Static IP (optional)

    sudo nano /etc/initramfs-tools/initramfs.conf
    

    Add config:

    IP:IPADDRESS::GATEWAY:NETMASK:HOSTNAME:ADAPTER
    
    IP=192.168.0.100::192.168.0.1:255.255.255.0:ubuntu:enp2s0
    
  5. Update initramfs

    Update initramfs to take into account the changes: :

    sudo update-initramfs -u -k all
    
  6. Setup .ssh/config

    if you want to avoid to have clash between the keys between dropbear and openssh (they share the same ip, but use a different key), you may want to put in your client ~/.ssh/config something like that:

    Host <myserver>_luks_unlock
         User root
         Hostname <myserver-ip-or-hostname>
         # The next line is useful to avoid ssh conflict with IP
         HostKeyAlias <myserver>_luks_unlock
         Port 2222 #use the unlock port defined in the dropbear config above rather than the normal port defined in sshd config
         PreferredAuthentications publickey
         IdentityFile /path/to/id_rsa
    Host <myserver>
         User <normalusername>
         Hostname <myserver-ip-or-hostname>
         Port 22 #use the normal port defined in sshd config
         PreferredAuthentications publickey
         IdentityFile /path/to/id_rsa
    
  7. Connect

    Connect using:

    ssh myserver_luks_unlock
    

    Some newer ssh clients no longer accept RSA pubkeys. See here: https://confluence.atlassian.com/bitbucketserverkb/ssh-rsa-key-rejected-with-message-no-mutual-signature-algorithm-1026057701.html

    Thus, you may need to add the following to /etc/ssh/ssh_config:

    PubkeyAcceptedKeyTypes +ssh-rsa
    

    and once you get a prompt, type as suggested by the busybox text :

    cryptroot-unlock
    

References