Ubuntu – How to unlock LUKS root partition using ssh (not through dropbear)


I have been looking online for a solution that will allow me to automatically unlock an ubuntu 16.04 LTS machine with FDE (including the root partition). I have found a lot of guides that allow a remote unlock using dropbear. The idea there would be to allow a user to SSH into that machine to securely transfer a passphrase. What I want is the inverse and involves no SSH server on the machine trying to mount the encrypted partition.

What I would like is for when I am in initramfs and it is about to try to mount the encrypted partitions that it initiates an SSH session (such as grabs a file using scp) to get the passphrase. I would have a trusted machine that hands out the passphrases over the network. I can't seem to find information on a initramfs module or script to do such. Of course, it would be further great if it would try to grab that file, but if it wasn't available it just defaulted to grabbing console input. It seems that if someone got an SSH server running on initramfs it stands to follow there is some SCP-like client available, but I can't find anyone out there doing this.

In case noone has any ideas, what I am trying to protect against is someone stealing my machine wholesale, but still allow automatic reboots. I just want to store keys in another machine in a remote location that is unlikely to be simultaneously stolen and use a form of secure transmission to get those keys to boot.

Thanks in advance.

Best Answer

I've put together a fairly simple keyscript for retrieving keys over HTTPS. I was trying to solve the same problem I believe you are - securing a machine against untargeted theft while still allowing unattended reboots.

The key is stored encrypted on the other server, and you can configure basic authentication fairly easily - none of this particularly helps of course once someone's stolen the relevant machine! You'll still have to manually respond to the theft quickly by making the keys unavailable.

(I've also made my HTTP server limit access using GeoIP and my ISPs IP ranges, which might provide some protection if I'm lucky.)

Encrypting the key in my arrangement probably doesn't provide much benefit, I have to admit. (But it doesn't make things much more complicated.)

mandos is an attempt to solve a similar problem but tries to ensure that keys will be made unavailable quickly and automatically if a machine appears to have been stolen. This means it requires assumptions about downtime and a slightly more convoluted infrastructure.