Ubuntu guide: Dropbear SSH server to unlock LUKS encrypted PC

This guide explains how to unlock a LUKS encrypted ubuntu system via SSH. This is convenient if in example you want to turn on a server but don’t have a keyboard and screen attached to it. Or if you don’t have physical access to it. I assume that you know already how to set up an OpenSSH server and you know how to activate/deactivate public key login. Else read Ubuntu Help: OpenSSH Server and check more online resources.

This guide was tested with ubuntu 18.04 and ubuntu 17.10.

To connect from Windows, I used ssh from bash (if you install Git for Windows you get bash).

Open a terminal and install dropbear and busybox:

sudo apt install dropbear busybox

You will get a warning here as it completes: dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won’t work!, just ignore it for now.

Activate BUSYBOX and DROPBEAR in initramfs

sudo nano /etc/initramfs-tools/initramfs.conf

Change BUSYBOX=auto  to option to BUSYBOX=y  and add (below it or at the end of the file) this line:

DROPBEAR=y

Browse to the /etc/dropbear-initramfs/ directory, which includes all the dropbear configurations needed to be included in the initramfs:

cd /etc/dropbear-initramfs/

Note: host keys are already present, as they were automatically generated during the installation of the dropbear package, so there is no need to create new ones as other guides tell you to do. Just convert the rsa one, as follows:

sudo /usr/lib/dropbear/dropbearconvert dropbear openssh dropbear_rsa_host_key id_rsa
sudo dropbearkey -y -f dropbear_rsa_host_key |grep "^ssh-rsa " > id_rsa.pub

Add your client public key to the authorized_keys. If you are logged to your machine via SSH, and your public key is already in your authorized_keys file, you can copy the existing authorized_keys file, as follows:

cp ~/.ssh/authorized_keys .

Else you can add a public key as follows: sudo echo your public key >> authorized_keys 

Set dropbear to start:

sudo nano /etc/default/dropbear

Change NO_START=1  to NO_START=0 

In dropbear, use a different port from the one you are using in your host, so you won’t get the annoying “man in the middle attack” warning in your ssh client that will notice that the host has different keys. Different ports are considered different hosts, so you won’t get any warning at all. I’ve seen other complicated solutions to avoid the warning, but I think that using a different port is the easiest and most elegant solution.

sudo nano /etc/dropbear-initramfs/config

Uncomment the DROPBEAR_OPTIONS  line and add the option to specify the port. In this example I use port 21. Use the port you desire.

DROPBEAR_OPTIONS="-p 21"

Now add the script that will be needed to actually unlock your LUKS partition:

sudo nano /etc/initramfs-tools/hooks/crypt_unlock.sh

Copy and paste the contents from gusennan’ sh script in the file (or copy the text from the raw file), then give it executable rights:

sudo chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

Update initramfs:

sudo update-initramfs -u

Disable the dropbear service on boot, so it won’t interfere with your openssh server:

sudo systemctl disable dropbear

ImportantI had to update grub and disable the splash screen, because with splash active, after connecting to dropbear and typing unlock the screen was blocked and I could not enter the LUKS password.

sudo nano /etc/default/grub

In the GRUB_CMDLINE_LINUX_DEFAULT line, replace "quiet slash"  with "quiet" , as follows:

GRUB_CMDLINE_LINUX_DEFAULT="quiet"

Save and update grub:

sudo update-grub

Reboot your server:

sudo reboot

Try to connect to your machine. You must use the root user, and specify the port you configured in the previous step:

ssh root@YOURSERVER -p 21

Once connected you will see something like this:

Warning: Permanently added '[YOURSERVER]:22,[YOURIP]:22' (ECDSA) to the list of known hosts.
To unlock root partition, and maybe others like swap, run `cryptroot-unlock`
To unlock root-partition run unlock

BusyBox v1.22.1 (Ubuntu 1:1.22.0-19ubuntu2) built-in shell (ash)
Enter 'help' for a list of built-in commands.

type unlock , insert your LUKS password, if everything worked correctly your partition will decrypt and your machine will boot. You will see this:

...a bunch of other info...
Connection to 192.168.0.xx closed.

Give it time to boot, then you can finally ssh into your linux box, as usual.

Encrypted HOME directory

If not only your partition is encrypted, but also your home directory, you won’t be able to login with your public key, as the public key is saved in ~/.ssh/authorized_keys , which is encrypted.

To solve this, follow Stephen’s Encrypted Home directories + SSH Key Authentication guide.

Troubleshooting

If you get this error when you try to connect to your server, it’s because you didn’t follow my advise to change port in dropbear:

ssh root|youruser@YOURSERVER
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@	WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! 	@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:m/************/****.
Please contact your system administrator.
Add correct host key in /home/youruser/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/youruser/.ssh/known_hosts:12
  remove with:
  ssh-keygen -f "/home/youruser/.ssh/known_hosts" -R "YOURSERVER"
ECDSA host key for YOURSERVER has changed and you have requested strict checking.
Host key verification failed.

I still prefer my solution, but if you insist on using the same port, here a few nerdy solutions:

Solution 1, works like a charm in linux, but not really on bash on windows.

Solution 2, provide some command line hack to avoid the warning:

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no youruser|root@YOURHOST -p YOURPORT

Credits

This guide was inspired by: https://oliverviebrooks.com/2017/12/05/unlocking-luks-volumes-without-local-access/

Thanks also to Stephen (link above) for his encrypted home directories solution.

I hope that this guide was helpful for you, if so, consider buying a gadget at banggood using my referral link. Like this (comparing to a donation) we both benefit, you get a gadget that may be useful for you and I get something too (a little commission, but the price for you is the same).

3 thoughts on “Ubuntu guide: Dropbear SSH server to unlock LUKS encrypted PC

  1. Loser

    It seems that instruction assumes that the client is also Linux and have SSH. What if the server is a fresh install and the client is Windows + Putty? A little bit details instruction for that set-up will be helpful.

    > Else you can add a public key as follows: sudo echo “your public key” >> authorized_keys

    Is not so helpful. When I tried to reboot, I could connect to the Ubuntu server from Windows + Putty, but it did not accept password but require a public key.

    Reply
  2. Loser

    Never mind. I managed to solve it myself. It was annoying but I did. God, I hate the crappy UI of Putty, but oddly, there has been no free alternative to Putty, and everyone just seems to use Putty.

    The key file format that Putty generates and that DropBear expects is different. So, I created the key files from Putty and then copied it to the Ubuntu server. Of course, Dropbear did not recognise it first, so I did some experiments. I had to remove the first —-.. and last —-… lines, remove all the line breakings, and remove the comment. Basically the key format Dropbear accepted was,

    ssh-rsa KEY-BINARY-IN-ONE-LINE

    Reply
    1. Paolo Brocco Post author

      Hi loser, sorry if my guide was not loser friendly, but happy you figured it out 😉
      Jokes aside, from Windows I didn’t mention it (but now I updated the guide), but you can actually use ssh from bash. If you install git for windows you get bash and ssh included in the package, no need for putty. I mean if you hate the putty UI so much, why do you even use it? I also don’t like putty and in fact I don’t use it, so of course I’m not covering it in my guide.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *