The initramfs under /etc/initramfs-tools/root/.ssh/id_rsa (or id_rsa.dropbear You will find the matching private key which you will later need to log in to If the latter file doesn't exist either, it will be generated automatically. If this file doesn't exist when the initramfs is compiled, it will be createdĪnd /etc/initramfs-tools/root/.ssh/id_rsa.pub will be added to it. etc/initramfs-tools/root/.ssh/authorized_keys. The key(s) used for that will be taken from # dropbearkey -t rsa -f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_keyĪs the initramfs will not be encrypted, publickey authentication is assumed. # dropbearkey -t dss -f /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key Following are the commands to create them manually: If they do not exist when the initramfs is compiled, they will be createdĪutomatically. The host keys used for the initramfs are dropbear_dss_host_key andĭropbear_rsa_host_key, both located in/etc/initramfs-tools/etc/dropbear/. If set to DROPBEAR=y, dropbear willīe installed in any case if DROPBEAR isn't set at all, then dropbear will onlyīe installed in case of an existing cryptroot setup. Into the initramfs, and should not contain DROPBEAR=n, which would disable The default when the busybox package is installed) to have busybox installed It should contain BUSYBOX=y (this is set as The file /etc/initramfs-tools/nf holds the configuration options You can unlock your rootfs on bootup from remote, using ssh to log in to theīooting system while it's running with the initramfs mounted.įor remote unlocking to work, the following packages have to be installedīefore building the initramfs: dropbear busybox Unlocking rootfs via ssh login in initramfs
Dropbear ssh rootfs package archive#
"echo -ne \"MyS3cr3tK3y\" >/lib/cryptsetup/passfifo"Īnd for those not lucky enough to use Debian, and also for those who have such luck, but want more details on this procedure, I am pasting here the archive cryptsetup/README.remote from Debian that I am sure that you will find very useful Ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.initramfs" \ Using the format specified in the file Documentation/nfsroot.txt of the Linux kernel documentation. To do this edit the file /etc/default/grub and define the line:
Dropbear ssh rootfs package install#
The trick involves embedding a small ssh server ( dropbear) in the initramfs that allows you to enter the password remotely for the root partition at boot time.įor those who are lucky enough to use Debian, the procedure is so simple and easy as ::ġ) Install your server with the root partition encrypted.Īpt-get install openssh-server dropbear busyboxģ) Copy the SSH key that has been generated automaticallyĤ) If your server gets the IP address automatically (DHCP) ignore this step, otherwise you have to specify the IP configuration at the Kernel boot line. Thanks to this nifty trick, you can enter the password remotely during the boot process. The problem is that if you encrypt the whole hard disk (the root partition) you will need some kind of KVM to type the password remotely every time the server is restarted … sure? No!
If you are thinking on sending a new server to a remote datacenter for colocation or you have rented one or more servers in the cloud, probably you have thought that you would like to encrypt your server’s hard disk.
0 kommentar(er)
