/notebook/ssh/remote-hd-unlock

Remote Unlock your LUKS-encrypted Hard Drive

by Dan Aukes

Updated for Ubuntu 22.04

  1. Install Software

    bash sudo apt update sudo apt -y upgrade sudo apt install -y busybox dropbear*

  2. Create and add key

    bash ssh-keygen -b 4096 -t rsa -f ~/luks_unlock_key -N=""

    then add your public key (most of the time ~/.ssh/id_rsa.pub) in the file /etc/dropbear/initramfs/authorized_keys.

    bash sudo cat ~/lucks_unlock_key.pub >> /etc/dropbear/initramfs/authorized_keys

    or, if you need to do it as root:

    bash sudo -i sudo echo "mypublickeydata" >> /etc/dropbear/initramfs/authorized_keys exit

  3. Update config (optional)

    bash sudo nano /etc/dropbear/initramfs/dropbear.conf

    Add these options:

    • -I - disconnect time
    • -j - disable local ssh port forwarding
    • -k - disable remote ssh port forwarding
    • -p - listen on port 2222
    • -s - disable password logins

    ```bash

    DROPBEAR_OPTIONS="-I 180 –j –k –p 2222 -s"

    DROPBEAR_OPTIONS="-p 2222" ```

  4. Set Static IP (optional)

    bash sudo nano /etc/initramfs-tools/initramfs.conf

    Add config:

    bash IP:IPADDRESS::GATEWAY:NETMASK:HOSTNAME:ADAPTER

    bash IP=192.168.0.100::192.168.0.1:255.255.255.0:ubuntu:enp2s0

  5. Update initramfs

    Update initramfs to take into account the changes: :

    bash sudo update-initramfs -u -k all

  6. Setup .ssh/config

    if you want to avoid to have clash between the keys between dropbear and openssh (they share the same ip, but use a different key), you may want to put in your client ~/.ssh/config something like that:

    bash Host <myserver>_luks_unlock User root Hostname <myserver-ip-or-hostname> # The next line is useful to avoid ssh conflict with IP HostKeyAlias <myserver>_luks_unlock Port 2222 #use the unlock port defined in the dropbear config above rather than the normal port defined in sshd config PreferredAuthentications publickey IdentityFile /path/to/id_rsa Host <myserver> User <normalusername> Hostname <myserver-ip-or-hostname> Port 22 #use the normal port defined in sshd config PreferredAuthentications publickey IdentityFile /path/to/id_rsa

  7. Connect

    Connect using:

    bash ssh myserver_luks_unlock

    Some newer ssh clients no longer accept RSA pubkeys. See here: https://confluence.atlassian.com/bitbucketserverkb/ssh-rsa-key-rejected-with-message-no-mutual-signature-algorithm-1026057701.html

    Thus, you may need to add the following to /etc/ssh/ssh_config:

    PubkeyAcceptedKeyTypes +ssh-rsa

    and once you get a prompt, type as suggested by the busybox text :

    bash cryptroot-unlock

References

Contents

Tags

About

I am an engineer and educator, having spent ten years as a professor. My goal is to help you build your knowledge of design and technology, get your hardware working, and propel your startup or small business. Get in touch!

Archives

  1. 2026-January
  2. 2025-December
  3. 2025-June
  4. 2024-May
  5. 2024-March
  6. 2024-February
  7. 2024-January
  8. 2023-December
  9. 2023-November
  10. 2023-October
  11. 2023-September
  12. 2023-August
  13. 2023-July
  14. 2023-June
  15. 2019-October

Elsewhere

  1. GitHub - danaukes
  2. GitHub - danb0b
  3. LinkedIn