How can one unlock a fully encrypted Ubuntu 11.10 system over SSH at boot?
In previous versions of Ubuntu, and current versions of Debian, you can unlock a fully encrypted system (using dmcrypt and LUKS) at boot time over SSH.
It was as easy as:
- Installing the encrypted system using the Ubuntu alternate installer disk or normal Debian installer disk and choosing to encrypt the system.
- After the system is installed, adding the dropbear and busybox packages.
- Updating the initram-fs to authorize your ssh key.
At boot time, you'd just ssh to the machine, and do:
echo -ne "keyphrase" > /lib/cryptsetup/passfifo
The machine would then unlock and boot the encrypted system.
Using the exact same steps on Ubuntu 11.10, I can ssh to the machine, but /lib/cryptsetup/passfifo
doesn't exist.
There appears to be no way to unlock the system over ssh. I'm not sure where to look to see if this functionality changed or if it was removed.
Just done some googling and it appears that plymouth gets in the way. If plymouth is there then on boot then cryptsetup will ask plymouth for the password and that means it's not using passfifo.
The best workaround appears to be putting the following script in the directory /usr/share/initramfs-tools/hooks/
After you've put it there you can chmod +x
and then you have to update-initramfs -u
. You should then be able to use the unlock
command (which is created by the script below).
This relies on you using an ssh key to login with. If you want to use a password then you need to put SSHUSERPASS=<username>
into /etc/initramfs-tools/initramfs.conf
#!/bin/sh
PREREQ="dropbear"
prereqs() {
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions
if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
cat > "${DESTDIR}/bin/unlock" <<-EOF
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot
then
/sbin/pkill cryptroot
/sbin/pkill -f "plymouth ask-for-pass"
/sbin/pkill cryptsetup
exit 0
fi
exit 1
EOF
chmod 755 "${DESTDIR}/bin/unlock"
mkdir -p "${DESTDIR}/lib/unlock"
cat > "${DESTDIR}/lib/unlock/plymouth" <<-EOF
#!/bin/sh
[ "\$1" == "--ping" ] && exit 1
/bin/plymouth "\$@"
EOF
chmod 755 "${DESTDIR}/lib/unlock/plymouth"
# Enable password login
if [ -n "$SSHUSERPASS" ]
then
sed -n "s/^${SSHUSERPASS}:/root:/p" /etc/shadow > "${DESTDIR}/etc/shadow"
chmod 640 "${DESTDIR}/etc/shadow"
fi
fi
You can read more in this post on the ubuntuforums, this launchpad bug and the german post I nicked most of this from.
until this bug is resolved, you can try to first kill plymouth. Unfortunately, there is no easy way to determine the PID of plymouthd. But plymouth knows how to quit itself :-) So the following should be sufficient.
plymouth --quit; echo -ne "keyphrase" > /lib/cryptsetup/passfifo