Montag, 14. Mai 2012

SSH unlock with fully encrypted ubuntu 12.04 server

When operating a server with full system encryption it is often undesirable to enter the password with a local keyboard. However setting up unlocking via SSH with ubuntu 12.04 is quite a stony path as there are several bugs that need to be worked around, before it actually works. I put together a complete guide how to set it up. The tutorial is based on the setup created in the previous one.
So I assume your ubuntu 12.04 server is installed on a fully encrypted partition that is managed with LVM. The unlocking of the root-partition is done in the "initial ramdisk" that is stored on the unencrypted /boot partition. In order to enter this password over SSH, you need to add an SSH-server to your initial ramdisk. To keep the initial ramdisk small we use "dropbear" - an SSH-server implementatin for embedded systems.

# apt-get install openssh-server dropbear

The dropbear system-installation will automatically use the RSA and DSA keys provided by OpenSSH.
It is also automatically integrated into the initial ramdisk. However it generates a separate pair of keys for the initial ramdisk which can be undesirable because it will give you nasty "Host identification changed" errors when you connect to the ramdisk-system. So I decided to work around that by using the system-key-pair for the ramdisk as well:
# cp /etc/dropbear/dropbear_* /etc/initramfs-tools/etc/dropbear/

As the initial ramdisk will only contain a root-user, the root-user has to be activated and assigned a password.

# passwd root

Optional: If you like to authenticate using a public key you need to make sure the ramdisk accepts it:

# cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/authorized_keys

Because of a bug in ubuntu/debian authentication will always fail when trying to login to your initial ramdisk system. A workaround provided by Alex Roper fixes this problem.

# vi /etc/initramfs-tools/hooks/fix-login.sh

Copy the content of the script into the editor:

#!/bin/sh

PREREQ=""

prereqs()
{
    echo "$PREREQ"
}

case $1 in
# get pre-requisites
prereqs)
    prereqs
    exit 0
    ;;
esac

cp $(dpkg -L libc6 | grep libnss_ | tr '\n' ' ') "${DESTDIR}/lib/"

Save the file and make sure it's executable:

# chmod +x /etc/initramfs-tools/hooks/fix-login.sh

After updating the initramfs you can reboot and login via SSH should work.

# update-initramfs -u
# reboot

However entering the password for the encrypted volume will not work because of a bug in plymouth that prevents other ways to enter the password. So another workaround is required.
Add another script "crypt_unlock" to /etc/initialramfs-tools/hooks:

# vi /etc/initramfs-tools/hooks/crypt_unlock.sh

And add the following content:

#!/bin/sh

PREREQ="dropbear"

prereqs() {
    echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
    ;;
esac

. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions

if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
    cat > "${DESTDIR}/bin/unlock" << EOF
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
    kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
    exit 0
fi
exit 1
EOF

    chmod 755 "${DESTDIR}/bin/unlock"

    mkdir -p "${DESTDIR}/lib/unlock"
cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
#!/bin/sh
[ "\$1" == "--ping" ] && exit 1
/bin/plymouth "\$@"
EOF

    chmod 755 "${DESTDIR}/lib/unlock/plymouth"

    echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd

fi

Make sure it's executable:

# chmod +x /etc/initramfs-tools/hooks/crypt_unlock
And update the initramfs

# update-initramfs -u
# reboot
Now when you boot into your initial ramdisk you can connect to your server via ssh and unlock the encrypted volume by typing

# unlock
Unlocking the disk /dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (sda2_crypt)
Enter passphrase: 
  Reading all physical volumes.  This may take a while...
  Found volume group "mydisk" using metadata type lvm2
  2 logical volume(s) in volume group "mydisk" now active
cryptsetup: sda2_crypt set up successfully
# 
Congratulations! You should now be able to unlock your encrypted server without a local keyboard present.

Setup Ubuntu 12.04 server with full disk encryption

Although there are several tutorials out there describing how to encrypt your system using dmcrypt. There are essentially two reasons why I made this one:
  1. As preparation for the following tutorial on how to setup unlocking via SSH
  2. To document the setup for myself.
We start from scratch with installing ubuntu 12.04 LTS server. You can download it here.
I won't go into the detail on the setup itself, but only the process of partitioning the disk.

There are many ways to encrypt your harddisk. Arch wiki covers it pretty well if your're interested. I'll describe one specific way here. The goal: encrypting "root" and "swap". However, when you setup two encrypted paritions you set up two (different) passwords. I am pretty lazy, so I want to unlock all encrypted volumes at once. This is where LVM comes in. So I just create one encrypted partition and let LVM handle the rest of the partitioning. So let's go:


Obviously you are going to set up the partitions manually, so select "Manual" on this screen.


I start with a completely empty disk. If it's not a new drive you should probably "secure erase" it first.
So first you setup a boot-partition.


This partition will contain the kernel and the initialramfs required to unlock your system. I created a 200MB partition formatted as ext4. You can adjust the size according to your needs.
Then setup a partition using up the rest of the space.


Then select "Configure encrypted volumes" and then "Create encrypted volumes". Select the disks to use for encryption accordingly:


After setting the password you'll end up with an encrypted volume (e.g. sda2_crypt).


Now select "Configure the Logical Volume Manager".


Select "Create Volume group" and give it a name. This name will be used to present your device in udev (/dev/mapper/yourlvmdisk).


Make sure you select the encrypted volume for the volume group.


Then select "Create logical volume" to create a partition inside the volume group. Setup partitions as desired. You can control your layout at the end by selecting "Display configuration Details".


I decided to setup just a root and a swap partition in this testsetup. If you want additional partitions (e.g. home) you need to create them here. When you're satisfied with your volume setup hit finish.


The volumes now appear as partitions in the partition manager and can be formatted like regular partitions.


I setup the first partition as root-partition with ext4 as filesystem.


When you're done setting up the partitions hit "Finish partitioning and write changes to disk" and then carry on with the installation as usual. When the setup is finished and the system rebooted you will be prompted the password for the volume.

Congratulations! Your system is now fully encrypted.