LUKS Automatic unlock of with key file on remote ubuntu server

ubuntu luks remote

tang and clevis can achieve that even with encrypted root partition on CentOS 7 (and I personally use it to automate boot on my home network and at work). Have a look and check if it plugs into your VM.


You have various solutions online (like here) where a small ssh server (busybox+dropbear) is included in initrd to run it at boot time before filesystem mounting and let it be contacted to provide the passphrase as input.

You may be able to do something around that: in initrd, inside of launching a sshd server to wait for remote connection, start an ssh connection to your remote host storing keys, with specific ssh keys, in order to get the key file (doing an scp), then unlocking local filesystem with the LUKS key.

It is however not without drawbacks: you need of course to make sure to delete the downloaded LUKS key as soon as the unlock is done otherwise you gained nothing. Even better if you find a way to have it in RAM only for the time needed and not stored anywhere. Also, "any" attacker being able to read the content of your initrd may find the ssh connection and its ssh key, contact your remote host with them and download the LUKS key. If this happens it means however that your attacker is clearly targeting you and taking the time to study your specific setup, this is clearly outside of script kiddies. You should at least carefully review all connections that downloaded the key, the events should be tied to your other monitoring alerts showing that a given server is indeed rebooting (which again will not protect you against an attacker that was able to modify your initrd).

You also have to take into account cases where network fails at this moment, scp can not connect, etc... So having at the same time the option of the small sshdserver to be able to connect to it and debug things is not a bad idea. Or see what kind of out-of-band solutions your cloud provider can offer.


I have used Mandos to store and retrieve the passphrase to unlock the root file-system, to allow unattended reboots and simply store keys for all other volumes used by that system in a file on that encrypted root volume.

I have used mandos over a WAN connection (by configuring DHCP and the IP-address of the mandos server in the client system rather than relying on Zeroconf which only works in the local LAN) without bothering with a VPN connection.

Related

Free ESXI 6.5 and API support
Apache redirects from HTTPS to HTTP when adding trailing slash to directory
Why might an External IP change on a Google Cloud Platform VM instance?
Site-to-site IPSec routing (Ubuntu, StrongSwan)
"Sysprep" for Linux after cloning VMs?
Docker startup time
Difference Between Amazon S3 Select and Amazon Redshift Spectrum
inconsistent `apt-get update` behaviour on official Ubuntu AWS AMI
How to easily share local partitions between multiple computers
syslog: kernel: [ 1241.147934] TCP: ens192: Driver has suspect GRO implementation, TCP performance may be compromised
Why does mdadm --zero-superblock preserve file system information?
How to view ECDSA host key of a server?