Comments on: How to remotely decrypt a LUKS encrypted Debian/Ubuntu System https://www.theo-andreou.org/?p=1579 Just another boring linux blog Sun, 02 Jun 2019 08:55:42 +0000 hourly 1 https://wordpress.org/?v=5.4.2 By: Linux – Full Disk Encryption with Remote Access – EXPLOINSIGHTS, INC. Sys-Admin https://www.theo-andreou.org/?p=1579#comment-16731 Sat, 04 Aug 2018 11:00:24 +0000 http://www.theo-andreou.org/?p=1579#comment-16731 […] post:  https://www.theo-andreou.org/?p=1579  is genius.  Except where it isn’t, if you see what we […]

]]>
By: Theodotos Andreou https://www.theo-andreou.org/?p=1579#comment-14823 Wed, 02 May 2018 07:07:42 +0000 http://www.theo-andreou.org/?p=1579#comment-14823 In reply to khumphrey.

A more automated workflow is provided by Mandos:

https://wiki.recompile.se/wiki/Mandos

It does have it’s limitations though. Make sure you read the FAQ:

https://www.recompile.se/mandos/man/intro.8mandos

]]>
By: khumphrey https://www.theo-andreou.org/?p=1579#comment-14812 Mon, 30 Apr 2018 20:28:00 +0000 http://www.theo-andreou.org/?p=1579#comment-14812 Hey man, great tutorial.

I had a few questions though.

I am looking to set up an environment like this, however, I need it in the following architecture.

Instead of initiating the unlock from the local host, how would I make it so when the encrypted server boots, it automatically calls the keyserver, retrieves a key file or passphrase, then unlocks the drive.

Thanks!

]]>
By: Installing a software RAID 10 Debian system with LUKS disk encryprion – Mouflons and Penguins https://www.theo-andreou.org/?p=1579#comment-13340 Sat, 03 Feb 2018 18:15:11 +0000 http://www.theo-andreou.org/?p=1579#comment-13340 […] Theodotos Andreou on How to remotely decrypt a LUKS encrypted Debian/Ubuntu System […]

]]>
By: Theodotos Andreou https://www.theo-andreou.org/?p=1579#comment-13203 Thu, 25 Jan 2018 08:43:57 +0000 http://www.theo-andreou.org/?p=1579#comment-13203 In reply to greg.

Indeed. This article should be considered obsolete for stretch.

]]>
By: greg https://www.theo-andreou.org/?p=1579#comment-13201 Thu, 25 Jan 2018 07:37:17 +0000 http://www.theo-andreou.org/?p=1579#comment-13201 in Stretch there is already a cryptroot-unlock script included

]]>
By: Theodotos Andreou https://www.theo-andreou.org/?p=1579#comment-9895 Tue, 23 May 2017 16:09:55 +0000 http://www.theo-andreou.org/?p=1579#comment-9895 In reply to Euan Millar.

Well the idea of the tutorial is to have a different port when the server is in production. In the tutorial we are using port 4422. So if you try this it will probably work:

ssh -p 4422 root@encrypted-system
]]>
By: Euan Millar https://www.theo-andreou.org/?p=1579#comment-9891 Tue, 23 May 2017 14:15:42 +0000 http://www.theo-andreou.org/?p=1579#comment-9891 Great tutorial. However I am having a very strange problem. I am able to successfully unlock the filesystem using dropbear SSH and a static IP. But after a few moments and the filesystem builds, when I try to SSH into the box on the same IP and port, I get a network unreachable error. can anyone advise?

]]>
By: Theodotos Andreou https://www.theo-andreou.org/?p=1579#comment-9675 Sat, 29 Apr 2017 16:01:29 +0000 http://www.theo-andreou.org/?p=1579#comment-9675 In reply to Richard Laing.

Thanks for the additional info Richard.

]]>
By: Richard Laing https://www.theo-andreou.org/?p=1579#comment-9671 Sat, 29 Apr 2017 12:16:29 +0000 http://www.theo-andreou.org/?p=1579#comment-9671 Just wanted to say thank you for the tutorial this works just great on my Ubuntu 16.04 box.

I do have a couple of items to add.

  1. When using multiple network interfaces best practice to lock down the configure inside initramfs.conf down to one device by using the ‘DEVICE=’ else you will need to make multiple IP= lines inside the config so you guarantee the IP address used by dropbear.

  2. In order to avoid any key warring you should change the a line inside /usr/share/initramfs-tools/scripts/init-premount/dropbear

The line reads ‘exec /sbin/dropbear ${DROPBEAR_OPTIONS:-$PKGOPTION_dropbear_OPTION} -Fs’

Append -p XXXX where XXXX is the port number used for the dropbear so it will not overlap with the port that is by your openssh thus avoiding the warnings when sshing into your machine.

]]>