A problem that I've spent some time thinking about is how to conduct reboots of a server that has its boot disk encrypted using LUKS FDE. This is one of the solutions I've come up with. The general idea is as follows:
- Configure the server with DropbearSSH which allows the server to be accessible via SSH when it is booting up but before the disk is decrypted.
- Write a script that SSHs into the server and sends it the password (which is piped in from a CLI password manager like
pass) - Combine the script with an incantation that SSHs into the server to send it a reboot command, and then execute the script. This will give you a one-liner you can use, particularly with something like
navi.
DropBearSSH Setup #
Reference: https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/
Dropbear SSH is an embedded implementation of SSH which allows it to be loaded into initramfs on boot and begin serving on port 22 despite the root partition having not yet been decrypted.
To install it, we use:
1sudo apt update
2sudo apt upgrade
3sudo apt install dropbear-initramfs
Then, you will want to add the public SSH keys authorized to log in to the /etc/dropbear/initramfs/authorized_keys file.
Next, you'll want to create the file /etc/dropbear/initramfs/dropbear.conf and put in the following contents:
DROPBEAR_OPTIONS="-I 300 -j -k -p 22 -s -c cryptroot-unlock"
This will ensure that Dropbear is running on port 22, and that the command cryptroot-unlock is the one being executed automatically when someone logs in. This means Dropbear will only be used to decrypt the root partition and then the logged in user will be booted out.
Next, you need to open up /etc/initramfs-tools/initramfs.conf in your favorite text editor and add the following line (or replace it, if a line starting with IP= already exists):
...
IP=<SERVER-IP>::<GATEWAY-IP>:255.255.255.0:<HOSTNAME>
...
The hostname can functionally be anything you want, though for clarity I recommend using the same hostname as would be normal for your server. The server IP should be configured to be static on your router, and this same IP should be used here. The gateway IP address should be the IP address of your router, which is typically the same as the IP of your server, but where the last octet is 1
Decryption Script #
Next, on any machine that you're going to be using to SSH into the server and run the decryption process, you will want to have the following python script:
1#!/usr/bin/env python3
2import pexpect
3import sys
4
5TARGET = sys.argv[1]
6PASSWORD = sys.stdin.readlines()[0]
7
8ssh = pexpect.spawn(f'ssh {TARGET}')
9ssh.expect('Please unlock disk.+')
10ssh.sendline(PASSWORD)
Please note that this uses the Python pexpect library to interact with the shell, which needs to be installed using pip install pexpect.
All this script does is it needs an SSH target (i.e. an IP address, or a host configured in your SSH config file), and a password piped in through STDIN. It them SSHs into the target machine (which should be running Dropbear SSH as outlined above), and when it finds the text "please unlock disk", it responds with the password.
This script can be used at any time and the password can be piped into it from any CLI-compatible password manager (because UNIX is awesome).
CLI Incantation(s) #
With those two building blocks above - dropbear SSH installed on the target server, and the script that can handle sending the password to it - we can build the following incantation which will reboot the server for us, and decrypt it in one go:
1ssh -t <SERVER> 'sudo reboot now' && \
2 sleep 30 && \
3 pass show .../passphrase | python3 .../luks-unlocker.py <SERVER>
Please note the following:
- The dropbear SSH server will identify itself with different SSH keys than what would normally be used. This means that you may want to use separate SSH configurations (on the machine executing the above command) for "normal" SSH access to the server and the Dropbear SSH connection, in particular, look into using a different
known_hostsfile with Dropbear. - The use of
.../above implies that you need to figure out the paths for the script and passphrase for yourself, wherever you typically keep such things. - The example above uses a 30 second delay, but feel free to set it to whatever seems appropriate for you. This is the time that you want to wait before trying to unlock the server.
If for some reason the server experiences a hard reboot, we can simply use a pared down version of the command, which is something that UNIX makes very easy to do with just:
1pass show .../passphrase | python3 .../luks-unlocker.py <SERVER>