Unattended/headless Ubuntu server with disk encryption - how to set it up?

Question

I'm a long-time Linux user, but I'm not well-versed with the newer developments, esp. wrt Ubuntu and system(d) administration.

I have a very old PC that I want to use for a file server, Mercurial repo, FTP and WWW server, and a few other small company-internal webapps I made with Django. Previously this all ran on an ancient Fedora, on an unencrypted disk, and all was launched from /etc/rc.local.

I've put a new HDD, and got Ubuntu 18.04 LTS on it. I'm now onto restoring the services, but I want to improve as well.

First, I want the valuable data (Django database, files in the file server, ...) to be on an encrypted partition. However my experience with disk encryption is that something asks you for the passphrase during bootup. I want to avoid that, since the server won't have a monitor or a keyboard attached. Second, I want to administer the services in a bit more official ("Ubuntian") way.

Current idea

have the services' data on an encrypted partition, that is not listed in /etc/fstab.
upon restart, the server will only have sshd, but the services won't be started and partition not mounted.
I'd ssh to the machine, and run a script, that mounts the partition (asking me for the passphrase), and launches the services.

The machine is on an UPS, I expect to run the above procedure rarely (few times a year).

Question

Is the current idea any good? Better ways to do it?

If it's good, how to implement it? I can certainly go the "total DIY way" and write a huge script with the luks commands, iptables commands to open the ports, and invoke the services' daemons directly, but I want to learn something new here and do it the proper Ubuntu way™ :)

Any pointers or code/script examples are kindly appreciated!

I have a similar setup on my nas using Openmediavault as my OS, which has a LUKS encryption addon. With that addon you can mount the encrypted disks from the web page. Another idea would be to have the decryption keyfile on a USB stick that you can attach or detach as you wish. — pLumo, Aug 25 '20 at 13:03
Hmm, yeah, whether the mounting is done via SSH or a webpage, that's similar, and indeed a webpage can be a bit more convenient. I don't like the USB stick idea though, the whole point of the encryption is to keep the data secure in the event of a burglary in the office. — anrieff, Aug 25 '20 at 15:55

Simon Sudler · Answer 1 · 2024-06-27T07:00:33.253

15

Remote unlocking of encrypted partition

There is a easy and more or less standard way to unlock encrypted partitions on start-up, without modification of the root-partition. It requires dropbear, busybox and dropbear-initramfs.

$ sudo apt install dropbear busybox dropbear-initramfs

Add busybox to initramfs

To enable busybox in the initial RAM disk, set BUSYBOX=y in /etc/initramfs-tools/initramfs.conf. The dropbear SSH host keys are stored in the /etc/dropbear-initramfs or /etc/dropbear/initramfsfolder (since Ubuntu 22.04).

Add public keys to authorized_keys of dropbear

There is no user management in the initial RAM disk, so only the root-user with a public key in the /etc/dropbear-initramfs/authorized_keys can login via ssh. You can add any public or simply copy the one of your user:

$ sudo cp ~/.ssh/authorized_keys /etc/dropbear/initramfs/authorized_keys

Warning: Some older dropbear versions do not support ed25519 keys.

Update initramfs with dropbear keys

After that, initial RAM disk needs to be updated:

$ sudo update-initramfs -u

That's it, now reboot the system and wait for the cryptsetup dialog.

Unlocking the system remotely

After the reboot, the system will wait for the unlocking of the encrypted device. Login via ssh with the root user and the corresponding private key.

# From a remote system
$ ssh -i ~/.ssh/my_private.id_rsa root@my.system.waiting.for.a.password.com
Enter passphrase for key '~/.ssh/my_private.id_rsa':

BusyBox v1.30.1 (Ubuntu 1:1.30.1-4ubuntu6.1) built-in shell (ash)
Enter 'help' for a list of built-in commands.

cryptroot-unlock
Please unlock disk ubuntu-root:
cryptsetup: ubuntu-root set up successfully
Connection to my.system.waiting.for.a.password.com closed by remote host.
Connection to my.system.waiting.for.a.password.com closed.

And the system will start with unlocked root device.

Update for Ubuntu 22.04

Brough up by Sjors Provoost - This approach stop working in Ubuntu 22.04. The reason behind is the change in the package dependencies of dropbear-initramfs. In 20.04 this packages was a recommend, in 22.04 it is a suggest. As a result, the packages will not be installed without explicit selection. In addition to that, the position of the dropbear keys changed from /etc/dropbear-initramfs to /etc/dropbear/initramfs --> Update included in answer.

edited Jun 27 '24 at 07:00

answered Aug 25 '20 at 20:20

Simon Sudler

4,131

Wouldn't this require two separate ssh keys to login to the box, depending on whether it's stuck in initramfs, or already logged in? Please note I don't require that the OS (root) partition be encrypted, only the data partition. – anrieff Aug 26 '20 at 13:34
No, you can use the same RSA key for both, however the user name is different. If you just need the data partition to be encrypted, you can just login with the root user and mount it... – Simon Sudler Oct 14 '20 at 23:09
Yes, just the data partition. The question is more about how to do the mounting & starting of services in an official way, not a hacky script that just runs the needed commands (of course that's always a valid Plan B) – anrieff Oct 15 '20 at 07:45
Well, then my answer provides a working solution. Your partition should be included in the /etc/crypttab. Then you will be asked to enter your password in the boot process, which can be also entered with ssh/busybox – Simon Sudler Oct 15 '20 at 08:07
I'd prefer to avoid the ssh/busybox solution if possible. The main distro has a perfectly working sshd and shells. Is it possible to put a partition in /etc/crypttab that has "manual mounting", i.e. not auto-mounted at boot time? – anrieff Oct 15 '20 at 14:19
yes, can configure when it should be mounted – Simon Sudler Oct 16 '20 at 07:13
This worked wonderfully until I upgraded Ubuntu to 22.04. Now it no longer spins up an SSH server, so I have to use the physical keyboard again to unlock. – Sjors Provoost May 23 '22 at 10:49
@SjorsProvoost I assume, that the upgrade can't handle this particular change to the initrd image. Try the steps again... It should start working again. – Simon Sudler May 23 '22 at 14:48
I noticed /etc/dropbear-initramfs moved to /etc/dropbear/initramfs (it automatically moved my authorized_keys). I already tried setting BUSYBOX=y and doing sudo update-initramfs -u before replying here; that didn't do the trick. Not really sure where to look for potential error messages. – Sjors Provoost May 24 '22 at 15:59
1

Error messages cannot be stored in this early stage of the boot process (disk encrypted and not mounted). You should ask this in e separate questions... the comment section is not helpful for solving this. – Simon Sudler May 24 '22 at 18:55
@SjorsProvoost: Found the issue when I was trying 22.04... I updated to post. I hope that helps. – Simon Sudler Jun 07 '22 at 12:43
Works like a charm, thanks! – Sjors Provoost Jun 08 '22 at 14:48
Worked fine on Ubuntu 22.04, can we encrypt /boot and /boot/efi ? – Harry Jan 17 '23 at 10:06
1

@Harry, no that is not possible, because the kernel and initrd image, which is handling the encryption is in /boot. From a security perspective, this should not be an issue, because the kernel is singed (cannot be altered) and there is nothing "secrete" in the kernel or initrd image. Same is true for /boot/efi – Simon Sudler Jan 18 '23 at 20:55

score 1 · Answer 2 · answered Jan 30 '25 at 20:48

Update for Ubuntu 24.10

Some files have moved around on newer versions of Ubuntu, and you don't need all the dependencies listed in the excellent answer from Simon.

Dropbear-initramfs install

sudo apt update
sudo apt install dropbear-initramfs

Setup public key

sudo pico /etc/dropbear/initramfs/authorized_keys

Insert your public key.

Config dropbear-initramfs

sudo pico /etc/dropbear/initramfs/dropbear.conf

Set Dropbear Options:

DROPBEAR_OPTIONS="-I 300 -j -k -p 2222 -s -c cryptroot-unlock"

Update grub etc

sudo update-initramfs -u
sudo update-grub

Now reboot

sudo reboot

Local config

You can add this to ~/.ssh/config locally:

Host myhost-crypt
    HostName 192.168.0.100
    User root
    Port 2222

(Change hostname and IP accordingly)

Now just ssh myhost-crypt and it should ask you for your decrypt password and close the connection immediately.

Also thanks to https://www.privex.io/articles/unlock-luks-remotely-ssh-dropbear/ where I got the Dropbear Options from. — Jason Norwood-Young, Jan 30 '25 at 21:06
Just tried this for Ubuntu 24.04 and it worked like a charm. — Milo, Apr 02 '25 at 20:16