Sometimes you want to have a strong Disk encryption but be still able to unlock it remotely.
Sure, this is a compromise between security and usability, but here is what I come up with.
Before you follow my instructions, I allude you to carefully consider what that means for your thread model and system security.
- You start with an normal lvm encrypted operating system.
- Install dropbear and busybox
- Edit the file /etc/initramfs-tools/initramfs.conf and add/modify Device and Network settings accordingly:
The last line requires some explanation. It consists of:
To bypass the ssh host checks (which would fail, because effectively the preboot environment is an autonomous os, independent of the other), you should select a different IP than that of the fully booted system.
- Place your ssh-public key into the initramf's root users home directory For privacy reasons (if you don't want someone to associate this device with you through the use of your public key) you may want to use a separate key-pare, as this public key.
- After you've added your public key, you need to regenerate the initramfs image using:
- After that reboot using
- Now while the System is waiting for you to enter the password, go to a different client and connect using your private key (User: root) and your predefined IP address.
- To unlock your device and continue booting (which will uninitialize the initramfs leaving you within a shell without any mounted file systems or applications) you have to somehow insert the Plain-text password into /lib/cryptsetup/passfifo (without a line break at the end). The easiest (but also unsafest) way is a simple echo: