Dropbear
Remote unlock encrypted root filesystems over SSH on boot. Note that most
systems do not encrypt /boot
and therefore dropbear keys should be
considered compromised/untrusted; use separate keys when using dropbear!
See wireguard-initramfs to enable wireguard service on boot for fully encrypted remote boot root FS unlock!
Dropbear Setup
apt install dropbear-initramfs
Set dropbear options:
#
# Configuration options for the dropbear-initramfs boot scripts.
# You must run update-initramfs(8) to effect changes to this file (like
# for other files under the '/etc/dropbear-initramfs' directory).
#
# Command line options to pass to dropbear(8)
# -s -g - disable user, root password auth
# -j -k - disable local, remote port forwarding
# -m disable MOTD
# -p 22 listen on all interfaces, port 22
# -T 1 one authentication attempt
DROPBEAR_OPTIONS='-s -g -j -k -m -p 22 -T 10'
#
# On local (non-NFS) mounts, interfaces matching this pattern are
# brought down before exiting the ramdisk to avoid dirty network
# configuration in the normal kernel.
# The special value 'none' keeps all interfaces up and preserves routing
# tables and addresses.
#
IFDOWN=*
#
# On local (non-NFS) mounts, the network stack and dropbear are started
# asynchronously at init-premount stage. This value specifies the
# maximum number of seconds to wait (while the network/dropbear are
# being configured) at init-bottom stage before terminating dropbear and
# bringing the network down.
# If the timeout is too short, and if the boot process is not blocking
# on user input supplied via SSHd (ie no remote unlocking), then the
# initrd might pivot to init(1) too early, thereby causing a race
# condition between network configuration from initramfs vs from the
# normal system.
#
DROPBEAR_SHUTDOWN_TIMEOUT=60
Dropbear uses a special binary format for host keys. Generate a new pair of host keys to use, and remove all others:
dropbearkey -t rsa -s 4096 -f /etc/dropbear-initramfs/dropbear_rsa_host_key
rm /etc/dropbear-initramfs/dropbear_{dss,ecdsa,ed25519}_host_key
Create a set of SSH keys to use for dropbear explicitly. These should be password protected. Add to authorized keys for dropbear.
ssh-keygen -b 4096 -t rsa -f ~/.ssh/dropbear
cp ~/.ssh/dropbear.pub /etc/dropbear-initramfs/authorized_keys
Update Kernel
The kernel must be updated everytime the dropbear configuration is changed.
update-initramfs -u
update-grub
reboot
Remote Unlock
ssh -i ~/.ssh/dropbear root@remote_host
# cryptroot-unlock