This guide explains how to unlock a LUKS encrypted ubuntu system via SSH. This is convenient if in example you want to turn on a server but don't have a keyboard and screen attached to it. Or if you don't have physical access to it. I assume that you know already how to set up an OpenSSH server and you know how to activate/deactivate public key login. Else read Ubuntu Help: OpenSSH Server and check more online resources.
This guide was tested with ubuntu 18.04 and ubuntu 17.10.
To connect from Windows, I used ssh from bash (if you install Git for Windows you get bash).
Open a terminal and install dropbear and busybox:
sudo apt install dropbear busybox
You will get a warning here as it completes: dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won’t work!, just ignore it for now.
Activate BUSYBOX and DROPBEAR in initramfs
sudo nano /etc/initramfs-tools/initramfs.conf
Change BUSYBOX=auto to option to BUSYBOX=y and add (below it or at the end of the file) this line:
Browse to the /etc/dropbear-initramfs/ directory, which includes all the dropbear configurations needed to be included in the initramfs:
Note: host keys are already present, as they were automatically generated during the installation of the dropbear package, so there is no need to create new ones as other guides tell you to do. Just convert the rsa one, as follows:
sudo /usr/lib/dropbear/dropbearconvert dropbear openssh dropbear_rsa_host_key id_rsa
sudo dropbearkey -y -f dropbear_rsa_host_key |grep "^ssh-rsa " > id_rsa.pub
Add your client public key to the authorized_keys. If you are logged to your machine via SSH, and your public key is already in your authorized_keys file, you can copy the existing authorized_keys file, as follows:
cp ~/.ssh/authorized_keys .
Else you can add a public key as follows: sudo echo “your public key” >> authorized_keys
Set dropbear to start:
sudo nano /etc/default/dropbear
Change NO_START=1 to NO_START=0
In dropbear, use a different port from the one you are using in your host, so you won’t get the annoying "man in the middle attack" warning in your ssh client that will notice that the host has different keys. Different ports are considered different hosts, so you won’t get any warning at all. I’ve seen other complicated solutions to avoid the warning, but I think that using a different port is the easiest and most elegant solution.
sudo nano /etc/dropbear-initramfs/config
Uncomment the DROPBEAR_OPTIONS
line and add the option to specify the port. In this example I use port 21. Use the port you desire.
Now add the script that will be needed to actually unlock your LUKS partition:
sudo nano /etc/initramfs-tools/hooks/crypt_unlock.sh
Copy and paste the contents from gusennan' sh script in the file (or copy the text from the raw file), then give it executable rights:
sudo chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh
sudo update-initramfs -u
Disable the dropbear service on boot, so it won't interfere with your openssh server:
sudo systemctl disable dropbear
, I had to update grub and disable the splash screen, because with splash active, after connecting to dropbear and typing unlock the screen was blocked and I could not enter the LUKS password.
sudo nano /etc/default/grub
In the GRUB_CMDLINE_LINUX_DEFAULT
line, replace "quiet slash"
, as follows:
Save and update grub:
Reboot your server:
Try to connect to your machine. You must use the root
user, and specify the port you configured in the previous step:
ssh root@YOURSERVER -p 21
Once connected you will see something like this:
Warning: Permanently added '[YOURSERVER]:22,[YOURIP]:22' (ECDSA) to the list of known hosts.
To unlock root partition, and maybe others like swap, run `cryptroot-unlock`
To unlock root-partition run unlock
BusyBox v1.22.1 (Ubuntu 1:1.22.0-19ubuntu2) built-in shell (ash)
Enter 'help' for a list of built-in commands.
, insert your LUKS password, if everything worked correctly your partition will decrypt and your machine will boot. You will see this:
...a bunch of other info...
Connection to 192.168.0.xx closed.
Give it time to boot, then you can finally ssh into your linux box, as usual.
Encrypted HOME directory
If not only your partition is encrypted, but also your home directory, you won't be able to login with your public key, as the public key is saved in ~/.ssh/authorized_keys
, which is encrypted.
To solve this, follow Stephen's Encrypted Home directories + SSH Key Authentication guide.
If you get this error when you try to connect to your server, it's because you didn't follow my advise to change port in dropbear:
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/youruser/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/youruser/.ssh/known_hosts:12
ssh-keygen -f "/home/youruser/.ssh/known_hosts" -R "YOURSERVER"
ECDSA host key for YOURSERVER has changed and you have requested strict checking.
Host key verification failed.
I still prefer my solution, but if you insist on using the same port, here a few nerdy solutions:
Solution 1, works like a charm in linux, but not really on bash on windows.
Solution 2, provide some command line hack to avoid the warning:
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no youruser|root@YOURHOST -p YOURPORT
This guide was inspired by: https://oliverviebrooks.com/2017/12/05/unlocking-luks-volumes-without-local-access/
Thanks also to Stephen (link above) for his encrypted home directories solution.
I hope that this guide was helpful for you, if so, consider buying a gadget at banggood using my referral link. Like this (comparing to a donation) we both benefit, you get a gadget that may be useful for you and I get something too (a little commission, but the price for you is the same).