Dropbear
Remote unlock encrypted root filesystems over SSH on boot.
Note that most systems do not encrypt /boot
and therefore dropbear keys
should be considered compromised/untrusted; use separate keys when using
dropbear!
See wireguard-initramfs to enable wireguard service on boot for fully encrypted remote boot root FS unlock.
Ansible Role: dropbear
Dropbear host identification keys are a special format, not a standard SSH keypair. See: Defaults.
Dropbear host keys are binary files and cannot be stored encrypted in the {host,group}_vars directory. Ansible will try to automtically decrypt this file and fail due to UTF-8 encoding issues. Storing within ansible but outside of {host,group}_vars to prevent decryption until the binary file is copied, wherein the decryption happens correctly.
Remote Unlock using the dropbear key
ssh -i ~/.ssh/dropbear root@remote_host
.
# Dropbear
Dropbear installation from public release tarball.
## Requirements
No additional requirements.
## Role Variables
Settings have been throughly documented for usage.
[defaults/main.yml](https://github.com/r-pufky/ansible_dropbear/blob/main/defaults/main.yml).
## Dependencies
N/A
## Example Playbook
host_vars/dropbear.example.com/vars/dropbear.yml
``` yaml
dropbear_private_key: '{{ vault_dropbear_private_key }}'
dropbear_public_key: '{{ vault_dropbear_public_key }}'
# Dropbear host identification key. This is a special format, not a standard
# SSH keypair. Generate a host key, encrypt, store in ansible outside of
# {host,group}_vars:
#
# dropbearkey -t rsa -s 4096 -f dropbear_rsa_host_key
# ansible-vault encrypt dropbear/{HOST}_rsa_host_key
#
# NOTE: Dropbear host keys are binary files and cannot be stored encrypted in
# the {host,group}_vars directory. Ansible will try to automtically
# decrypt this file and fail due to UTF-8 encoding issues. Storing within
# ansible but outside of {host,group}_vars to prevent decryption until
# the binary file is copied, wherein the decryption happens correctly.
#
# ERROR! 'utf-8' codec can't encode characters in position 23-24: surrogates
# not allowed
dropbear_rsa_host_key_file: 'dropbear/qnap_rsa_host_key'
```
site.yml
``` yaml
- name: 'dropbear'
hosts: 'dropbear.example.com'
become: true
roles:
- 'r_pufky.dropbear'
```
## Issues
Create a bug and provide as much information as possible.
Associate pull requests with a submitted bug.
## License
[AGPL-3.0 License](https://github.com/r-pufky/ansible_dropbear/blob/main/LICENSE)
## Author Information
https://keybase.io/rpufky
None
Role Details: Updated: 2022-10-08 galaxy source service docs
Defaults
---
###############################################################################
# Dropbear Remote Unlock Configuration
###############################################################################
# Dropbear private/public keys for remote root FS crypto unlock.
# ssh-keygen -b 4096 -t rsa -f ~/.ssh/dropbear
# Use vault. This key should use a key password.
dropbear_private_key: ''
dropbear_public_key: ''
# Dropbear host identification key. This is a special format, not a standard
# SSH keypair. Generate a host key, encrypt, store in ansible outside of
# {host,group}_vars:
#
# dropbearkey -t rsa -s 4096 -f dropbear_rsa_host_key
# ansible-vault encrypt special/{HOST}_rsa_host_key
#
# NOTE: Dropbear host keys are binary files and cannot be stored encrypted in
# the {host,group}_vars directory. Ansible will try to automtically
# decrypt this file and fail due to UTF-8 encoding issues. Storing within
# ansible but outside of {host,group}_vars to prevent decryption until
# the binary file is copied, wherein the decryption happens correctly.
#
# ERROR! 'utf-8' codec can't encode characters in position 23-24: surrogates
# not allowed
dropbear_rsa_host_key_file: ''
# Command line options to pass to dropbear.
# -s -g - disable user, root password auth
# -j -k - disable local, remote port forwarding
# -m disable MOTD
# -p 22 listen on all interfaces, port 22
# -T 1 one authentication attempt
dropbear_options: '-s -g -j -k -m -p 22 -T 1'
# On local (non-NFS) mounts, interfaces matching this pattern are
# brought down before exiting the ramdisk to avoid dirty network
# configuration in the normal kernel.
# The special value 'none' keeps all interfaces up and preserves routing
# tables and addresses.
dropbear_ifdown: '*'
# On local (non-NFS) mounts, the network stack and dropbear are started
# asynchronously at init-premount stage. This value specifies the
# maximum number of seconds to wait (while the network/dropbear are
# being configured) at init-bottom stage before terminating dropbear and
# bringing the network down.
# If the timeout is too short, and if the boot process is not blocking
# on user input supplied via SSHd (ie no remote unlocking), then the
# initrd might pivot to init(1) too early, thereby causing a race
# condition between network configuration from initramfs vs from the
# normal system.
dropbear_shutdown_timeout: '60'