sleepless@localhost

Recently, I’ve set up a small home server again. As usual, I’ve gone with a fully encrypted hard drive. However, for a server it’s quite inconvenient to attach a display and a keyboard every time it should be booted.

Therfor, again as usual, I wanted to be able to unencrypt the device using SSH. As many times before I followed the instructions on this page. When I tried to recreate the initrd, all I got was an “error 72″ along with a note, that this all was deprecated — and a hint where to find more, which I ignored…

As Google couldn’t help much, I decided to read the information: Debian now supports this feature natively and it’s damn easy to configure:

[edit 2010-12-29 17:00] A small word of warning: As I just found out, this isn’t that easily working with Ubuntu. According to bug report 595648 on launchpad Plymouth is responsible for problems unencrypting the device. Comment #5 provides a workaround. However, I haven’t tested this. [/edit]

All you need to do is installing dropbear (a tiny SSH server) and BusyBox (a tiny shell, usually already installed) using apt-get. The initrd will be recreated automatically. Then reboot your computer. Don’t worry: If you can’t login via SSH you can still do by using the keyboard. It’s absolutley(?) fail-safe.

There’s also a public/private key pair being created automatically when dropbear is installed. For later public key authentication you can either use the private key provided in /etc/initramfs-tools/root/.ssh/id_rsa (copy to your own machine and use it when logging into the server specifying “-i”, see below) or just add your usual (public) key to /etc/initramfs-tools/root/.ssh/authorized_keys. (cat your_pubkey.pub >> …authorized_keys and recreate the initrd with update-initramfs)

The final command (for logging into your booting server only) looks then something like:

ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" \
-i "your_public_key"

“-o” specifies a different known_hosts. This is necessarry, because your server will (going this easy way) have two separate fingerprints: One during the boot process offered by dropbear and one afterwards offered by your usual SSH server. This would cause a lot of inconvnience and warnings as changed fingerprints can indicate something nasty going on — as the warning will tell you.
“-i” specifies the private key to use and is only needed if you copied the one being created by dropbear. If you copied your regular one over this can be omitted.

As you probably don’t want to do too much on your server in this state, it’s comfortable to pass the command for decrypting the harddrive directly:

ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" \
 -i "~/.ssh/id_rsa.initramfs" root@10.0.0.103 \
 "echo -ne \"encryptionpassphrase\" >/lib/cryptsetup/passfifo"

Yes, that’s right: The password to decrypt the device is in plain here…

As you can see, this is really easy: Install dropbear, copy dropbear’s private key and use it to login. Three short steps and almost fool proof.