Comments on: How to remotely decrypt a LUKS encrypted Debian/Ubuntu System

By: Linux – Full Disk Encryption with Remote Access – EXPLOINSIGHTS, INC. Sys-Admin

Sat, 04 Aug 2018 11:00:24 +0000

[…] post: https://www.theo-andreou.org/?p=1579 is genius. Except where it isn’t, if you see what we […]

By: Theodotos Andreou

Theodotos Andreou — Wed, 02 May 2018 07:07:42 +0000

In reply to khumphrey.

A more automated workflow is provided by Mandos:

https://wiki.recompile.se/wiki/Mandos

It does have it's limitations though. Make sure you read the FAQ:

https://www.recompile.se/mandos/man/intro.8mandos

By: khumphrey

khumphrey — Mon, 30 Apr 2018 20:28:00 +0000

Hey man, great tutorial.

I had a few questions though.

I am looking to set up an environment like this, however, I need it in the following architecture.

Instead of initiating the unlock from the local host, how would I make it so when the encrypted server boots, it automatically calls the keyserver, retrieves a key file or passphrase, then unlocks the drive.

Thanks!

By: Installing a software RAID 10 Debian system with LUKS disk encryprion – Mouflons and Penguins

Sat, 03 Feb 2018 18:15:11 +0000

[…] Theodotos Andreou on How to remotely decrypt a LUKS encrypted Debian/Ubuntu System […]

By: Theodotos Andreou

Theodotos Andreou — Thu, 25 Jan 2018 08:43:57 +0000

In reply to greg.

Indeed. This article should be considered obsolete for stretch.

By: greg

greg — Thu, 25 Jan 2018 07:37:17 +0000

in Stretch there is already a cryptroot-unlock script included

By: Theodotos Andreou

Theodotos Andreou — Tue, 23 May 2017 16:09:55 +0000

In reply to Euan Millar.

Well the idea of the tutorial is to have a different port when the server is in production. In the tutorial we are using port 4422. So if you try this it will probably work:

ssh -p 4422 root@encrypted-system

By: Euan Millar

Euan Millar — Tue, 23 May 2017 14:15:42 +0000

Great tutorial. However I am having a very strange problem. I am able to successfully unlock the filesystem using dropbear SSH and a static IP. But after a few moments and the filesystem builds, when I try to SSH into the box on the same IP and port, I get a network unreachable error. can anyone advise?

By: Theodotos Andreou

Theodotos Andreou — Sat, 29 Apr 2017 16:01:29 +0000

In reply to Richard Laing.

Thanks for the additional info Richard.

By: Richard Laing

Richard Laing — Sat, 29 Apr 2017 12:16:29 +0000

Just wanted to say thank you for the tutorial this works just great on my Ubuntu 16.04 box.

I do have a couple of items to add.

When using multiple network interfaces best practice to lock down the configure inside initramfs.conf down to one device by using the 'DEVICE=' else you will need to make multiple IP= lines inside the config so you guarantee the IP address used by dropbear.
In order to avoid any key warring you should change the a line inside /usr/share/initramfs-tools/scripts/init-premount/dropbear

The line reads 'exec /sbin/dropbear ${DROPBEAR_OPTIONS:-$PKGOPTION_dropbear_OPTION} -Fs'

Append -p XXXX where XXXX is the port number used for the dropbear so it will not overlap with the port that is by your openssh thus avoiding the warnings when sshing into your machine.