HOWTO: Unlock a LUKS encrypted root partition via ssh

[hyper_ch]

HOWTO: Unlock a LUKS encrypted root partition via ssh

Introduction

Fully encrypted systems prevent others from getting your data from physical access. The rationale behind the encryption of a complete system is that you don't have worry about what you encrypt and what not, because everything (except for the /boot) partition will be encrypted.

However the problem I have encountered so far is, how could I reboot my computer from afar? I would be required to be in front of the computer and enter the password. I have wondered this far how I could reboot the computer remotely.

On Debian Administrator I found then an article written by Wulf (Wolfram Coulmann) in which he creates an initrd with dropbear as lightweight ssh server and an unlock script. However that script has still a few bugs and is not suited for Ubuntu. In the comments however, there are a few modifications (especially comment #31 and #29) which will make it also work on ubuntu.

The Script

Well, here's the script: dropbear

Code:

#!/bin/bash

# We add dropbear to the initrd to be able
# mount crypted partitions from remote

# copyright Wulf Coulmann
# GNU GPL
# http://www.gnu.org/licenses/gpl.html
#
# Download me here: http://gpl.coulmann.de/dropbear
# get infos about this script here:
# http://gpl.coulmann.de/ssh_luks_unlock.html

# Modified by Anonymous 2008
# Modified By Geoffroy RABOUIN 26/05/2008
# Modified by hyper_ch 15/06/2008

### INSTRUCTIONS FOR UBUNTU ###
# 0. Enable root login
# 1. Install killall, busybox and dropbear:
#    ~# sudo apt-get install psmisc busybox dropbear
# 2. Edit network configuration below and copy contents
#    of this file to /etc/initramfs-tools/hooks/dropbear
# 3. Save the script and make it executable:
#    ~# sudo chmod +x /etc/initramfs-tools/hooks/dropbear
# 4. Create new initrd:
#    ~# sudo mkinitramfs -o /boot/netboot
# 5. Edit /boot/grub/menu.lst and add your new initrd as the first entry
# 6. Delete the dropbear script the hooks folder
#    ~# sudo rm /etc/initramfs-tools/hooks/dropbear
# 7. Profit!

PREREQ=""
prereqs()
{
echo "$PREREQ"
}

case $1 in
prereqs)
prereqs
exit 0
;;
esac

# Begin real processing below this line

# load the prepared functions of debians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions

# build the directories
DIRS='/lib /bin /usr/bin /usr/sbin/ /proc/ /root/.ssh/ /var/ /var/run/ /etc/dropbear/'
for now in $DIRS ; do
if [ ! -e ${DESTDIR}$now ]
then
mkdir -p ${DESTDIR}$now
fi
done

# copy the ssh-daemon and librarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/
#copy_exec /usr/bin/strace /usr/bin/
#copy_exec /bin/nc /bin/
copy_exec /usr/bin/wc /usr/bin/

# some librarys are not autoincluded by copy_exec
copy_exec /lib/libnss_compat.so.2 /lib/
copy_exec /usr/lib/libz.so.1 /usr/lib/
copy_exec /etc/ld.so.cache /etc/
copy_exec /lib/libutil.so.1 /lib/

# we copy config and key files
cp -pr /etc/dropbear/dropbear_dss_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/dropbear/dropbear_rsa_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/passwd ${DESTDIR}/etc/
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
if [ -e /root/.ssh/authorized_keys ]
then
cp -pr /root/.ssh/authorized_keys ${DESTDIR}/root/.ssh/
fi
cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/
cp -pr /etc/localtime ${DESTDIR}/etc/
cp -pr /lib/tls ${DESTDIR}/lib/

# we don't have bash in our initrd
# also we only add the root account
cat /etc/passwd | grep root | sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd
cat /etc/shadow | grep root > ${DESTDIR}/etc/shadow
cat /etc/group | grep root > ${DESTDIR}/etc/group

cat >${DESTDIR}/scripts/local-top/network_ssh << 'EOF'
#!/bin/sh

# we start the network and ssh-server

PREREQ=""
prereqs()
{
echo "$PREREQ"
}

case $1 in
prereqs)

prereqs
exit 0
;;
esac

# Begin real processing below this line

# build up helpful environment
[ -d /dev ] || mkdir -m 0755 /dev
[ -d /root ] || mkdir --mode=0700 /root
[ -d /tmp ] || mkdir /tmp
[ -d /sys ] || {
mkdir /sys
mount -t sysfs -o nodev,noexec,nosuid none /sys
}
[ -d /proc ] || {
mkdir /proc
mount -t proc -o nodev,noexec,nosuid none /proc

}

mkdir -p /var/lock
mkdir -p /var/log
touch /var/log/lastlog
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts

/bin/sleep 5

################# CHANGE THE LINES BELOW #################
# The network setup: edit ip address and gateway to match your needs
ifconfig eth0 172.16.2.128 netmask 255.255.255.0
route add default gw 172.16.2.2
################# CHANGE THE LINES ABOVE #################

# display the network settings for double check
ifconfig

# If you like to use dhcp make sure you include dhclient or pump in
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /sbin/dhclient


# for debugging ssh-server you may run it in forgound
# /usr/sbin/dropbear -E -F
# for more debugging you may run it with strace
# therfor you have to include strace and nc at top of
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /usr/bin/strace
# copy_exec /usr/bin/nc
# then start nc on an other host and run
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip of other host> <nc port of other host>
# e.g.:
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888

# We will use /dev/urandom because /dev/random gets easily blocked
mv /dev/random /dev/random.old
ln -s /dev/urandom /dev/random
# /usr/sbin/dropbear -E -F -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
/usr/sbin/dropbear -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
#ls -al
rm -f /dev/random
mv /dev/random.old /dev/random
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh

cat >${DESTDIR}/etc/dropbear/banner << 'EOF'

To unlock root-partition run
unlock


EOF

# script to unlock luks via ssh
# dirty but effektive
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh

/bin/sh /scripts/local-top/cryptroot

# Kill processes locking boot process
[ `ls /dev/mapper/ | grep -v control| wc -l | awk '{print $1}'` -gt 0 ] && {
for i in `ps | grep -E "cryptroot|cryptsetup" | awk '{ print $1 }'`
do
kill $i
done
}
/bin/sh /scripts/local-bottom/rm_dropbear
EOF

chmod 700 ${DESTDIR}/usr/bin/unlock

# make sure we exit dropbear at the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear << 'EOF'
#!/bin/sh
PREREQ=""

prereqs()
{
echo ""
}

case $1 in
prereqs)

prereqs
exit 0
;;
esac

# Begin real processing below this line
# we kill dropbear ssh-server

/usr/bin/killall dropbear

EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear

Step 0: Enable root login

Well, forum policies say, that no root login tutorials must be given (see here). However there's plenty or resources out there on the net on how to do that.

The reason why I say that root must be enabled is, because I couldn't work out how to get the whole sudo permission stuff into the initrd. I'm sure there must be a way and if someone is willing to take up the challenge, please go ahead. However you can enable root login only during the creation of the initrd. Once it's created then the according stuff is saved in there and you can remove root login from the actual installation again. The root login is only required to log into dropbear and then run the unlock script. It's not used for anything else.

Step 1: Install required packages

Install those packages:

Code:

sudo apt-get install psmisc busybox dropbear

Step 2: Configure network

In the script change the network configuration to your needs. I have sofar only used static ips. The script itself provides also option for dhcp - however I did not try those.

Code:

################# CHANGE THE LINES BELOW #################
# The network setup: edit ip address and gateway to match your needs
ifconfig eth0 172.16.2.128 netmask 255.255.255.0
route add default gw 172.16.2.2
################# CHANGE THE LINES ABOVE #################

The above settings are just the values from my vmware machine on where I tested it.

Step 3: Save the script and make it executable:

Save the altered script to /etc/initramfs-tools/hooks/dropbear and make it then executable:

Code:

sudo chmod +x /etc/initramfs-tools/hooks/dropbear

Step 4: Create new initrd

Run this command to create a new initrd with the name of "netboot". Of course you can rename "netboot" to anything you like.

Code:

sudo mkinitramfs -o /boot/netboot

Step 5: Edit /boot/grub/menu.lst and add your new initrd as the first entry

Now you have to edit grub's menu list to add the new init.rd.
Run:

Code:

sudo nano /boot/grub/menu.lst

to edit the menu.lst in nano.
Go to the end (or almost) and copy an existing kernel entry e.g.

Code:

title           Ubuntu 8.04.1, kernel 2.6.24-19-generic
root            (hd0,1)
kernel          /vmlinuz-2.6.24-19-generic root=/dev/mapper/sda4_crypt ro quiet splash
initrd          /initrd.img-2.6.24-19-generic

Change it to something like:

Code:

title           Netboot
root            (hd0,1)
kernel          /vmlinuz-2.6.24-19-generic root=/dev/mapper/sda4_crypt ro quiet splash
initrd          /netboot

Don't copy my example directly but use yours. That way the root hd entry and the mapper name are correct.

Finally, at the top of the menu.lst also change the default boot entry accordingly. If you have 7 kernel entries, then you will put a "6" there because it starts with 0 and you add the netboot one at the bottom.

Step 6: Delete the dropbear script the hooks folder

When I tried it on my machine, after a kernel upgrade there were some problems (which may have resulted from my earlier tries with a buggy script). Just to make sure, delete the dropbear script from the folder.

Code:

sudo rm /etc/initramfs-tools/hooks/dropbear

Step 7: Profit!

That's it... it should be working now.

A few things to mention

- Well, in the script I currently call a ifconfig after the network configuration. I did that for bugtracing. You can of course delete that from the script.

- After you have now created the netboot initrd you can either change the root password again or disable root login. As the initrd is not encrypted it is possible to get the hash of the root password and so you want to use a different one from remote unlocking the crypto drives. I highly recommend changing the password or disabling root login in the actual machine.

- Although the system is fully encrypted, there are still two possible attacks left to gain access to the data:
(1) ColdBoot Attack by reading the crypto password from the ram blocks (not much you can't do against that without special hardware, see here)
(2) The created initrd can be manipulated so that it logs the crypto password somewhere. As /boot is not encrypted an attacker may gain this way the password for the LUKS-devices. You could, to prevent that, make a bootable cd with the according kernels and initrds and implement some kind of hash check... maybe there are other methods... feedback is welcomed here.

- Most of this tutorial is not from me, just a few adapations and explanations. So thanks goes to Wolfram Coulmann and the others who modified the original script.

[kevdog]

I will try this out this weekend, however, is networking services up, prior to booting into the encrypted partition -- this could potentially be a problem for me -- particularly if a wireless connection isnt up and running.

[hyper_ch]

yes, networking will be up priot to booting into the encrypted partition. You'll have to set this up in the initrd.... good luck with it

[say2sky]

HOWTO: Unlock a LUKS encrypted root partition via ssh

Thanks a lot for your howto. I hope to ask if it is possible for adsl user.
What files which is related with pppoe should be put into initrd.img and how send the IP to remote user. I think these are two questions, is there a ready resolution to them.

BTW, where you get the ubuntu 8.04.1 version? I haven't find it is out.

[hyper_ch]

I have no clue about pppoe....

But for the ip, you can use dynamic ip client such as dyndns or no-ip... however you'd have to integrate that also into your initrd image. dyndns and no-ip shouldn't be to hard... that's one binary and a config file (or something like that) that you can easily copy to the according dirs and have it run in the script after the network is setup...

[say2sky]

I have no clue about pppoe....

But for the ip, you can use dynamic ip client such as dyndns or no-ip... however you'd have to integrate that also into your initrd image. dyndns and no-ip shouldn't be to hard... that's one binary and a config file (or something like that) that you can easily copy to the according dirs and have it run in the script after the network is setup...

thanks a lot for help. I will do it and will also try to setup pppoe for adsl so I can access all my files from anywhere through security connection at any time.

[hyper_ch]

well, last time I used a dial-up modem was like 8 years ago... and using modems was bad in w2k also... no clue about linux.

[EuleLL]

Thanks! This works like a charm...

But I got one problem:

After mounting the root partition early crypto disks are mounted (I have a 2nd HDD that is mounted before sshd starts)

is there a way to load sshd before the mounting or keeping beardrop alive until the 2nd password for the 2nd harddrive has been entered?

Cheers,

Eule

[junxx]

[SIZE="6"]
- Although the system is fully encrypted, there are still two possible attacks left to gain access to the data:
(1) ColdBoot Attack by reading the crypto password from the ram blocks (not much you can't do against that without special hardware, see here)
(2) The created initrd can be manipulated so that it logs the crypto password somewhere. As /boot is not encrypted an attacker may gain this way the password for the LUKS-devices. You could, to prevent that, make a bootable cd with the according kernels and initrds and implement some kind of hash check... maybe there are other methods... feedback is welcomed here.

- Most of this tutorial is not from me, just a few adapations and explanations. So thanks goes to Wolfram Coulmann and the others who modified the original script.

Greetings!

I am also looking since quite some time for a way that supports remote prebooth authentification for whole disc encryption. This solution comes quite close, however as you wrote the /boot partition can be altered with e.g. a keylogger or so. Since a month or so I am toying around with a yubikey(http://www.yubico.com/home/index/) which is basically a OTP token. The neat thing is that its realisation is kinda a 1 button usb keyboard, so no drivers etc. are needed and validation is done via a webservice (at yubico, however you can also setup your own server for validation as all tools they provide are open source).

There are already pam modules that support yubikey, but that does not solve the problem how to securely mount an encrypted disc on a remote server. I think if the authors of LUKS/dm-crypt would integrate yubikey authentification as an optional feature we solved our problem. If the /boot is altered in some way to log passwords it wont matter since we are using OTP.

What do you think about the idea? Could that work? At the moment I see 2 problems:

1.) If we add yubikey OTP auth. as another layer like i.e. first provide yubikey, after that provie the password -> same problem as before, password can be logged. One might say that they cannot get to the password login without yubikey, but if they can install a keylogger they might as well try to directly mount the volume or change the sourcecode of dm-crypt to ignore yubikey since the key itself is not used for the encryption.

2.) If we use the yubikey password to encrypt the device then we have the problem that the drive is encrypted with password A and on next login the key will generate a password B...


Any discussions or ideas are welcome.