administration, linux, lvm, security,

Encrypted LVM remote unlock

agowa338 agowa338 Jul 24, 2017 · 1 min read
Share this

Sometimes you want to have a strong Disk encryption but be still able to unlock it remotely. Sure, this is a compromise between security and usability, but here is what I come up with.
Before you follow my instructions, I allude you to carefully consider what that means for your thread model and system security.

  1. You start with an normal lvm encrypted operating system.
  2. Install dropbear and busybox
  3. Edit the file /etc/initramfs-tools/initramfs.conf and add/modify Device and Network settings accordingly:
    The last line requires some explanation. It consists of:
    To bypass the ssh host checks (which would fail, because effectively the preboot environment is an autonomous os, independent of the other), you should select a different IP than that of the fully booted system.
  4. Place your ssh-public key into the initramf's root users home directory
    rm /etc/initramfs-tools/root/.ssh/*
    vi /etc/initramfs-tools/root/.ssh/authorized_keys
    For privacy reasons (if you don't want someone to associate this device with you through the use of your public key) you may want to use a separate key-pare, as this public key.
  5. After you've added your public key, you need to regenerate the initramfs image using:
    update-initramfs -u
  6. After that reboot using
    systemctl reboot
  7. Now while the System is waiting for you to enter the password, go to a different client and connect using your private key (User: root) and your predefined IP address.
  8. To unlock your device and continue booting (which will uninitialize the initramfs leaving you within a shell without any mounted file systems or applications) you have to somehow insert the Plain-text password into /lib/cryptsetup/passfifo (without a line break at the end). The easiest (but also unsafest) way is a simple echo:
    echo -n "EncryptionKey" > /lib/cryptsetup/passfifo

Written by agowa338