Intelligente Lösungen
in neuer Dimension

Ubuntu-20.04 Desktop LUKS entsperren über SSH

Ich habe einen Rechner installiert mit Plattenvollverschlüsselung gemäß dieser Anleitung. Nun möchte ich, dass der Rechner irgendwo in’s Eck gestellt wird und die Entsperrung der Festplattenvollverschlüsselung über SSH erfolgt – ähnlich, wie ich es für unsere Server schon mache.

Zusatzpakete installieren

1
2
3
4
5
sudo apt update
sudo apt upgrade -y
sudo apt autoremove -<
sudo apt install -y joe busybox dropbear-initramfs cryptsetup-initramfs
sudo apt install -y openssh-server

/etc/initramfs-tools/initramfs.conf

1
2
3
4
5
6
7
8
9
10
11
12
root@dpserv2:~# diff -u /etc/initramfs-tools/initramfs.conf~ /etc/initramfs-tools/initramfs.conf
--- /etc/initramfs-tools/initramfs.conf~ 2020-02-15 01:42:27.000000000 +0100
+++ /etc/initramfs-tools/initramfs.conf  2021-01-31 21:19:02.360316253 +0100
@@ -27,7 +27,7 @@
 # be used otherwise.
 #

-BUSYBOX=auto
+BUSYBOX=y

 #
 # COMPCACHE_SIZE: [ "x K" | "x M" | "x G" | "x %" ]

/etc/dropbear-initramfs/config

1
2
3
4
5
6
7
8
9
10
11
12
root@dpserv2:~# diff -u /etc/dropbear-initramfs/config~ /etc/dropbear-initramfs/config
--- /etc/dropbear-initramfs/config~  2019-09-05 12:47:46.000000000 +0200
+++ /etc/dropbear-initramfs/config   2021-02-02 12:35:11.147097180 +0100
@@ -6,7 +6,7 @@
 #
 # Command line options to pass to dropbear(8)
 #
-#DROPBEAR_OPTIONS=
+DROPBEAR_OPTIONS='-c cryptroot-unlock'

 #
 # On local (non-NFS) mounts, interfaces matching this pattern are

/etc/dropbear-initramfs/authorized_keys

1
2
ssh-rsa AAAAB3NzaC1yc... schluessel1
ssh-rsa AAAAB3NzaC1yc... schluessel2

/root/.ssh/authorized_keys

1
2
ssh-rsa AAAAB3NzaC1yc... schluessel1
ssh-rsa AAAAB3NzaC1yc... schluessel2

Initramfs aktualisieren

1
2
3
4
5
dpserv2$ sudo update-initramfs -u
update-initramfs: Generating /boot/initrd.img-5.8.0-41-generic
I: The initramfs will attempt to resume from /dev/dm-2
I: (/dev/mapper/ubuntu--vg-swap_1)
I: Set the RESUME variable to override this.

Neustart

Neustart einleiten

1
2
3
dpserv2$ sudo reboot
Connection to 192.168.0.198 closed by remote host.
Connection to 192.168.0.198 closed.

Entsperren

Der Rechner kann entweder via SSH oder via Konsole entsperrt werden.

Hier der Ablauf via SSH:

1
2
3
4
5
6
7
8
uli-laptop$ ssh -o UserKnownHostsFile="${HOME}/.ssh/knownHosts-boot" root@192.168.0.198
The authenticity of host '192.168.0.198 (192.168.0.198)' can't be established.
ECDSA key fingerprint is SHA256:pYGRgR4ZKS7nhlTt2ZxuFZ5S9vkY1vYGuYYLAstMmKg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.198' (ECDSA) to the list of known hosts.
Please unlock disk sdb3_crypt: MEIN-KENNWORT
cryptsetup: sdb3_crypt set up successfully
Connection to 192.168.0.198 closed.

Links

Historie

  • 2020-02-03: Absatz “Entsperren” ergänzt
  • 2020-02-02: Erste Version