Remote unlocking LUKS encrypted LVM

Install dropbear on server

sudo apt-get install dropbear

Generate an SSH key pair on the client system (the one which will be used to unlock the remote machine)

http://securityblog.gr/3657/how-to-setup-ssh-keys/

Stop dropbear from starting on normal boot on Server

sudo update-rc.d -f dropbear remove

Auto start dropbear

sudo sed -i -e 's/NO_START=0/NO_START=1/' /etc/default/dropbear

Remove the keys it created

sudo rm /etc/initramfs-tools/root/.ssh/id_rsa.*

sudo rm -f /etc/dropbear/dropbear_{rsa,dss,ecdsa}_host_key

Copy back the host key back to initramfs so ssh clients are not confused

sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key

Remove the OpenSSH ECDSA key

sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key

sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key

Insert your SSH public key (.pub) into the remote machine’s /etc/dropbear/root_key

ssh-copy-id username@remote-server -p port

Execute the following command on the remote system

sudo cat /home/username/.ssh/authorized_keys > /etc/dropbear/root_key

Allow user’s ssh key to ssh into boot

sudo cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/

Create the unlock script

sudo nano /etc/initramfs-tools/hooks/crypt_unlock.sh

Contents

#!/bin/sh PREREQ="dropbear" prereqs() { echo "$PREREQ" } case "$1" in prereqs) prereqs exit 0 ;; esac . "${CONFDIR}/initramfs.conf" . /usr/share/initramfs-tools/hook-functions if [ "${DROPBEAR}" != "n" ] &amp;&amp; [ -r "/etc/crypttab" ] ; then cat > "${DESTDIR}/bin/unlock" &lt;&lt; EOF #!/bin/sh if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` # following line kill the remote shell right after the passphrase has # been entered. kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\` exit 0 fi exit 1 EOF chmod 755 "${DESTDIR}/bin/unlock" mkdir -p "${DESTDIR}/lib/unlock" cat > "${DESTDIR}/lib/unlock/plymouth" << EOF #!/bin/sh [ "\$1" == "--ping" ] && exit 1 /bin/plymouth "\$@" EOF chmod 755 "${DESTDIR}/lib/unlock/plymouth" echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd fi

sudo chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

Update the initramfs boot partition

sudo update-initramfs -u

Set a Static IP on boot

sudo nano /etc/default/grub

Edit this line

GRUB_CMDLINE_linux="ip=local_ip::gateway:255.255.255.0::eth0:none"

sudo update-grub

Connect to remote server

ssh root@server_ip

Execute

unlock

You will be disconnected and you have to login back using your original ssh service.