Using full disk encryption in modern times is a sensible precaution. With credit cards statement stored digitally, to personal family photos, encryption offers a way to protect them from being read off a stolen hard drive. Using luks encryption allows the contents of a hard drive to be stored securely. They can only be read by entering a strong pass phrase at boot up. This works very well if you are the only one to use the computer but if you have family members that need access or it is a remote server you will need a way to remotely enter this pass phrase.

Dropbear

The solution to this is to install the dropbear ssh server. This is a very lightweight ssh server that can be added to the initramfs that is used as part of the Linux boot-up sequence. You will also need to install busybox to have basic shell utilities. To do this run the following

1

sudo apt-get install busybox dropbear

Add dropbear to the initramfs by editing /etc/initramfs-tools/initramfs.conf and adding

1
2

BUSYBOX = y
DROPBEAR = y

Static IP address

If the system is behind a home router using NATed ip addressing the system will need to have a static ip address and port 22 forwarded to it.

To ensure the system has a static IP address when booting up add the following to the file as-well editing where necessary in the format(::::::off:). You could otherwise if using DHCP set the mac address of the port to always receive the same IP address in the dhcp config.

1
2

DEVICE=eth0
IP=192.168.0.150::192.168.0.1:255.255.255.0::eth0:off

Setting up keys

Dropbear uses a different format of keys to openssh. This mean that we use a different process to create then. As the public key needs to be inside the initramfs it will reside in a root folder inside the /etc/initramfs.

1
2
3
4
5
6

rm -Rf  /etc/initramfs-tools/root/.ssh
mkdir  /etc/initramfs-tools/root/.ssh
dropbearkey -t rsa -f ~/reboot_rsa.dropbear
/usr/lib/dropbear/dropbearconvert dropbear openssh ~/reboot_rsa.dropbear ~/reboot_rsa
dropbearkey -y -f ~/reboot_rsa.dropbear | grep "^ssh-rsa " > ~/reboot_rsa.pub
cat ~/reboot_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys

Copy key to remote pc

On the encrypted machine run the following. It will add the key to your ssh folder.

1

scp ~/reboot_rsa <user>@<REMOTE>:~/.ssh

Login and unlock drive

To unlock the remote devise first ssh into is using the newly setup keys. The following is recommended as a single use command. If you plan on using this more often I suggest adding it to your ssh config file for easier use.

1

ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.reboot" -i ~/.ssh/reboot_rsa

Once logged in issue the following command to unlock the device. Entering your pass phrase of course :P

1

 echo -ne "<YOURENCRYPTIONPASSWORD>" /lib/cryptsetup/passfifo