Ubuntu – Full System encryption with LUKS on headless server – unlock with dropbear and busybox. How


I encrypted a headless server with cryptsetup/LUKS.
2 HDDs with 512 MB /boot on /dev/md0 and 1,61 TB LUKS encrypted /dev/md1 with LVM containing /, swap, and others.
I installed dropbear (and busybox was already installed) to unlock everything during the boot process. I use GRUB2.

So far everything works fine. I can login with a private key on dropbear listening on port 22 and unlock LUKS with the command

echo -n "passphrase" > /lib/cryptsetup/passfifo

as soon as I do this, the server boots as if nothing is encrypted. Which is exactly what I want.

Now, while this works fine, it's not how I want it to work.
First off all, I can't find any documentation on /lib/cryptsetup/passfifo. How does it even work?
Second, I generated a Keyfile with GPG (also one with cryptsetup as a loop back device) that I want to use instead of a password. But I can't find any documentary on how to do this in busybox. GPG does not seem to be installed, so I can't use that key (can I somehow make GPG available to busybox?)

So at the moment, the only way for me to unlock my system is to pass my password to /lib/cryptsetup/passfifo which I don't want to use.
I tried using cryptsetup directly in it's busybox path like

cryptsetup luksOpen /dev/md1 cryptdisk

I did not show any errors, but my system did not proceed with the boot.

Any ideas what I could do, or is there something wrong with my approach of handling this?


Best Answer

This is more a comment than an answer, sorry. But since you didn't get any replies yet, I wanted to write something anyway.

As for how does it even work:

In the Initramfs you usually have one master process (usually a busybox based /init shell script) which is responsible for making the root partition available before handing off the boot process to the real init system of your Ubuntu install.

In case of dropbear in Initramfs, that is a separate process started by /init. Logging into dropbear you get a shell which is yet another process. All the while the original /init has to be running and waiting for something, in this case the LUKS password.

So what the /init script most likely does here, once it started dropbear, is create a named pipe, or fifo, i.e. the /lib/cryptsetup/passfifo. And then it reads from that named pipe. This read will block until there actually is something to read, so that's how /init hangs and waits for input.

Then some years later you log into dropbear and do your echo passphrase > /lib/cryptsetup/passfifo, at which point /init wakes up from its slumber and resumes to unlock LUKS and go on with the rest of the boot process.

And that's basically the general idea of how it works. If there is no documentation for it you would have to read the shell script.

As for a GPG encrypted key in Initramfs, I'm sure this is the standard method in Ubuntu somehow, probably to be set up via /etc/crypttab. Did you check the wiki for a howto?

It certainly would require GPG to be included in the Initramfs. but I outlined an alternative approach here which could be made to work without additional dependencies:

How do I use dm-crypt (LUKS) with GnuPG to use two-factor for FDE?

The problem with this is of course that it is not standard, so while it could be simpler in theory it might actually be harder to set up.