Dropbear

Remote unlock encrypted root filesystems over SSH on boot.

Note that most systems do not encrypt /boot and therefore dropbear keys should be considered compromised/untrusted; use separate keys when using dropbear!

See wireguard-initramfs to enable wireguard service on boot for fully encrypted remote boot root FS unlock.

Ansible Role: dropbear

• Dropbear host identification keys are a special format, not a standard SSH keypair. See: Defaults.

• Dropbear host keys are binary files and cannot be stored encrypted in the {host,group}_vars directory. Ansible will try to automtically decrypt this file and fail due to UTF-8 encoding issues. Storing within ansible but outside of {host,group}_vars to prevent decryption until the binary file is copied, wherein the decryption happens correctly.

• Remote Unlock using the dropbear key ssh -i ~/.ssh/dropbear root@remote_host.

README.md

# Dropbear
Dropbear installation from public release tarball.

## Requirements
No additional requirements.

## Role Variables
Settings have been throughly documented for usage.

[defaults/main.yml](https://github.com/r-pufky/ansible_dropbear/blob/main/defaults/main.yml).

## Dependencies
N/A

## Example Playbook
host_vars/dropbear.example.com/vars/dropbear.yml
``` yaml
dropbear_private_key: '{{ vault_dropbear_private_key }}'
dropbear_public_key:  '{{ vault_dropbear_public_key }}'

# Dropbear host identification key. This is a special format, not a standard
# SSH keypair. Generate a host key, encrypt, store in ansible outside of
# {host,group}_vars:
#
#   dropbearkey -t rsa -s 4096 -f dropbear_rsa_host_key
#   ansible-vault encrypt dropbear/{HOST}_rsa_host_key
#
# NOTE: Dropbear host keys are binary files and cannot be stored encrypted in
#       the {host,group}_vars directory. Ansible will try to automtically
#       decrypt this file and fail due to UTF-8 encoding issues. Storing within
#       ansible but outside of {host,group}_vars to prevent decryption until
#       the binary file is copied, wherein the decryption happens correctly.
#
# ERROR! 'utf-8' codec can't encode characters in position 23-24: surrogates
#        not allowed
dropbear_rsa_host_key_file: 'dropbear/qnap_rsa_host_key'
```

site.yml
``` yaml
- name:   'dropbear'
  hosts:  'dropbear.example.com'
  become: true
  roles:
     - 'r_pufky.dropbear'
```

## Issues
Create a bug and provide as much information as possible.

Associate pull requests with a submitted bug.

## License
[AGPL-3.0 License](https://github.com/r-pufky/ansible_dropbear/blob/main/LICENSE)

## Author Information
https://keybase.io/rpufky

None

Role Details: Updated: 2022-10-08 galaxy source service docs

Defaults

---
###############################################################################
# Dropbear Remote Unlock Configuration
###############################################################################

# Dropbear private/public keys for remote root FS crypto unlock.
# ssh-keygen -b 4096 -t rsa -f ~/.ssh/dropbear
# Use vault. This key should use a key password.
dropbear_private_key: ''
dropbear_public_key:  ''

# Dropbear host identification key. This is a special format, not a standard
# SSH keypair. Generate a host key, encrypt, store in ansible outside of
# {host,group}_vars:
#
#   dropbearkey -t rsa -s 4096 -f dropbear_rsa_host_key
#   ansible-vault encrypt special/{HOST}_rsa_host_key
#
# NOTE: Dropbear host keys are binary files and cannot be stored encrypted in
#       the {host,group}_vars directory. Ansible will try to automtically
#       decrypt this file and fail due to UTF-8 encoding issues. Storing within
#       ansible but outside of {host,group}_vars to prevent decryption until
#       the binary file is copied, wherein the decryption happens correctly.
#
# ERROR! 'utf-8' codec can't encode characters in position 23-24: surrogates
#        not allowed
dropbear_rsa_host_key_file: ''

# Command line options to pass to dropbear.
# -s -g - disable user, root password auth
# -j -k - disable local, remote port forwarding
# -m disable MOTD
# -p 22 listen on all interfaces, port 22
# -T 1 one authentication attempt
dropbear_options: '-s -g -j -k -m -p 22 -T 1'

# On local (non-NFS) mounts, interfaces matching this pattern are
# brought down before exiting the ramdisk to avoid dirty network
# configuration in the normal kernel.
# The special value 'none' keeps all interfaces up and preserves routing
# tables and addresses.
dropbear_ifdown: '*'

# On local (non-NFS) mounts, the network stack and dropbear are started
# asynchronously at init-premount stage.  This value specifies the
# maximum number of seconds to wait (while the network/dropbear are
# being configured) at init-bottom stage before terminating dropbear and
# bringing the network down.
# If the timeout is too short, and if the boot process is not blocking
# on user input supplied via SSHd (ie no remote unlocking), then the
# initrd might pivot to init(1) too early, thereby causing a race
# condition between network configuration from initramfs vs from the
# normal system.
dropbear_shutdown_timeout:  '60'