Unattended/headless Ubuntu server with disk encryption - how to set it up?
Solution 1:
Remote unlocking of encrypted partition
There is a easy and more or less standard way to unlock encrypted partitions on start-up, without modification to root-partition. It requires dropbear
and busybox
.
$ sudo apt install dropbear busybox
Add busybox to initramfs
To enable busybox
in the initial RAM disk, set BUSYBOX=y
in /etc/initramfs-tools/initramfs.conf
. The dropbear SSH host keys are stored in the /etc/dropbear-initramfs
folder.
Add public keys to authorized_keys of dropbear
There is no user management in the initial RAM disk, so only the root-user with a public key in the /etc/dropbear-initramfs/authorized_keys
can login via ssh
. You can add any public or simply copy the one of you user:
$ sudo cp ~/.ssh/authorized_keys /etc/dropbear-initramfs/authorized_keys
dropbear
currently does not support ed25519
keys, so adding them to dropbear
won't work.
Update initramfs with dropbear keys
After that, initial RAM disk needs to be updated:
$ sudo update-initramfs -u
That's it, now reboot the system and wait for the cryptsetup
dialog.
Unlocking the system remotely
After the reboot, the system will wait for the unlocking of the encrypted device. Login via ssh
with the root user and the corresponding private key.
# From a remote system
$ ssh -i ~/.ssh/my_private.id_rsa [email protected]
Enter passphrase for key '~/.ssh/my_private.id_rsa':
BusyBox v1.30.1 (Ubuntu 1:1.30.1-4ubuntu6.1) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#
# cryptroot-unlock
Please unlock disk ubuntu-root:
cryptsetup: ubuntu-root set up successfully
# Connection to my.system.waiting.for.a.password.com closed by remote host.
Connection to my.system.waiting.for.a.password.com closed.
And the system will start with unlocked root device.