Remotely unlock LUKS root volume via SSH

pschmitt · February 12, 2020, 12:53pm

Hi,

my root fs is LUKS encrypted. Is there any way I can setup Clear Linux so that it connects the the network on boot, starts an SSH server and lets me input the password via ssh?

I’m basically looking for something like these solutions:

dm-crypt/Specialties - ArchWiki
GitHub - dracut-crypt-ssh/dracut-crypt-ssh: dracut initramfs module to start dropbear sshd during boot to unlock the root filesystem with the (cryptsetup) LUKS passphrase remotely

puneetse · February 12, 2020, 4:45pm

Paging @eadams who might have something clever to share.

This was discussed a little here and decided not something that was going to be a Clear Linux solution:

github.com/clearlinux/distribution

Request to support remote decrypting through ssh of fully encrypted drives

opened 09:13PM - 05 Jun 19 UTC

closed 10:47PM - 16 Jan 20 UTC

eadamsintel

enhancement

If you do full disk encryption with Clear Linux you have to physically be presen…t at your computer to unlock it. This is a problem if you want to remotely reboot/power on a system as you won't have a way to unlock it unless you setup an expensive KVM over IP solution or possibly redirect output over serial port to another computer that you can ssh in. Many modern computers don't have rs-323 ports. There are guides on the Internet how to set this up using a dropbear ssh server running in initramfs but it is tricky to setup and doesn't seem like it would survive a swupd update to a newer kernel. It would be a really useful feature if Clear Linux could easily support this through a bundle-add and some configuration file in /etc for the pre-boot ssh keys. Even better would be to share the same key between the pre-boot ssh session and post-boot after decryption ssh session if a different ssh server has to be used.

eadams · February 13, 2020, 5:48pm

I found two other ways to do this that don’t cost too much money, and you might already have the equipment on hand. I accomplished this by taking an old Android OnePlus One phone and flashing a custom firmware that had USB gadget mode enabled in the kernel. I then rooted the phone and used a program called hid-gadget-test to send keystrokes to the computer. I used a ROM called “nameless” that already had the kernel compiled with this option. Finally, I installed a Simple SSH server that always listens and opened up a port on my router to be able to ssh to that phone. The phone gets charged from the USB port and can send keystrokes as well. I even put a long passcode on that phone out of an abundance of caution. To complete the setup, I put the computer I care about on a wemo switch and changed the BIOS so that the computer boots up once power is applied. That way if anything happens in the reboot I can remotely kill power to the switch using the WeMo app and it will boot up to the LUKS encryption prompt.

You could also do this with certain revisions of a Raspberry Pi. Overview | Turning your Raspberry Pi Zero into a USB Gadget | Adafruit Learning System You may be able to use an old NUC as well, but I am pretty sure you need that USB port to support USB OTG for this to work but it has been awhile since I set this up. This type of setup would work with any OS and you don’t have to modify any kernels.

pschmitt · February 17, 2020, 8:02am

Thanks for the feedback. I’m really not looking for alternatives, I happen to own a KVM over IP device. The thing is that in my mind I shouldn’t have to use any kind of hardware for remote unlocking, there’s an existing software solution for this.

puneetse · February 17, 2020, 8:05am

To be clear, what’s the software solution you’re thinking of?

pschmitt · February 17, 2020, 8:08am

Any of these:

GitHub - gsauthof/dracut-sshd: Provide SSH access to initramfs early user space on Fedora and other systems that use Dracut
GitHub - grazzolini/mkinitcpio-dropbear: Archlinux mkinitcpio hook to enable the dropbear daemon in early userspace
[…]

There’s plenty more implementations floating around the internet.