How to open an encrypted Ubuntu 18.04 Server with SSH Dropbear

Some of you are security-aware and would like to install a full disk encryption on a new system. But you’ll face a problem: Once the machine reboots and you’re not around to type in the password, the machine will simply not boot up. For come over that issue you can use a small SSH listener called Dropbear which loads up during the very beginning of the boot process. Only if you authenticate with your correct RSA key, you can log on to the machine, provide the password for uncrypting the filesystem and will be kicked out again while the machine will finish its bootup.

– Freshly installed and encrypted Ubuntu 18.04 server (headless installation – no GUI).
– You should know how to use the linux terminal and the text editor nano.
– I advice you to tell your DHCP router to provide always the same IP to the machine. Otherwise the IP will change/increment every time you boot it up.

1. Let’s ensure we have all updates installed:

sudo apt update
sudo apt dist-upgrade

Install the required additional dropbear package:

sudo apt-get --assume-yes install dropbear-initramfs

You’ll notice that during package installation some keys will be automatically generated:
– DSA 1024 key for root
– RSA 2048 key for root
– ECDSA521 key for root

2. Edit the config file:

sudo nano /etc/dropbear-initramfs/config

Uncomment the DROPBEAR_OPTIONS line and add a second port where SSH should listen on:


3. Since only public key authentication is allowed we need to create and fill up our authorized_keys file:

sudo nano /etc/dropbear-initramfs/authorized_keys

Fill it with the only allowed command and append your ssh-rsa key:

command="/bin/cryptroot-unlock" ssh-rsa YOUR_KEY

4. Apply the changes and reboot:

sudo update-initramfs -u
sudo reboot

5. Now you can login to your machine for instance with:
ssh root@MACHINE_IP -p YOUR_PORT -i ~/.ssh/YOUR_KEY_FILE

– (Hetzner specific)

Veranstaltung: Digitale Selbstverteidigung – Offene Kryptoparty in Wiesbaden

Take back the control!

Jede/r ist herzlich zur nächsten offenen Veranstaltung zum Thema Digitale Selbstverteidigung eingeladen!

Das Veranstaltungsformat der Kryptoparty ist absichtlich offen gehalten, damit für die Fragen und Anliegen der Gäste ausreichend Platz bleibt. Für Cafe und Kekse wird gesorgt. Flankiert wird das Ganze durch kleine niedrigschwellige Rahmenvorträge zu den Themen:

  • Wie kann ich im Internet meine Privatsphäre schützen?
  • Wie bewege ich mich im Internet ohne Spuren zu hinterlassen?
  • Wie kann ich sicher kommunizieren?
  • Wie lösche ich Dateien möglichst sicher?
  • Wie kann ich Verschlüsselung für mich nutzen?

Der Termin für die nächste offene Kryptoparty in Wiesbaden und Umgebung Taunus steht noch nicht fest, daher bitte ich um vorherige Anmeldung per E-Mail an hello(at), damit ich den Termin/Ort besser abstimmen kann. Die Teilnahme ist selbstverständlich kostenfrei.

Tutorial: How to build, configure and install a secure personal computer

This guide is based on the BIOS UEFI replacement called Coreboot which runs on an ASUS F2A85-M mainboard with an AMD A10-5800K CPU with integrated graphics.

1. Introduction and aim

This initial idea came up with the uprising problems and vulnerabilites of Intel ME and AMD Secure Technology (PSP). After having researched several alternatives without running those (in)secure technologies I was looking for very specific hardware to meet the requirements on security as mentioned in the pinetree of open and secure classical computing.

The aim is to provide a comprehensive guide which allows the daily user to gain a higher level of security. The daily user shall be empowered to get back the control about every piece of hardware within the computer system. In general hardware is always run by the so-called firmware. Firmware is software which is in the closest control of the underlying hardware to make it work as intended. So firmware is needed by the all BIOS/UEFI computer systems we know. Based on these hardware firmwares the central BIOS/UEFI unit is able to tell other computer parts how to cooperate. The newer the hardware, the worse the avialabilty of open firmware. In fact in most cases the availability of open code is zero, because vendors assume that keeping the source code secret (closed source code) increases the security of the product. Nowadays we’ve learned by many lessons that this conviction is wrong. It’s a fact that every source contains errors which might be exploitable if they are found. The more people access a source code, the better this code is reviewed and the fewer errors are included.

Conclusion: Due to this circumstance sometimes developers have to use vendor’s original binary code (firmware) to get the hardware to work at all. That means that wide limitations are accepted by almost all vendors. Security can only be guaranteed by open source code. This leads to a conflict of objectives: On one hand we want a secure system and on the other hand we don’t want to lose comfort by leaving out the functionaly which the vendor has placed within his (closed) firmware.

Maybe you take this into account before you support a certain vendor by buying his hardware the next time.

Since it’s practically almost impossible to use every piece of hardware out there by open code, we need to find the best compromise between functionality and security:

  • free and open source code

  • running coreboot or even libreboot

  • running Windows and GNU/Linux

  • as little as possible of (closed) firmware

  • enough performance to get work done


2. Software we will need

  • For booting the system we will use Coreboot instead of the vendor’s BIOS/UEFI. Libreboot is even a “better” option but – as mentioned in other posts – unfortunately very few and old boards are supported.
  • As an operating system you can choose one from the recommendations. I prefer using Manjaro GNU/Linux with the free driver stack option which you can choose while booting the installation disk from a pendrive. In my view this is the best mix between bleeding edge development, security and user comfort.
  • If you prefer to build the Coreboot ROM on your own, you need a Linux on which you can compile the Coreboot sources. An already set up and running Arch Linux or Debian/Ubuntu are good choices.
  • If you prefer to extract the VGA BIOS on your own, you will also need to run a live Linux from a pendrive for extraction.


3. Hardware you will need (mostly second hand)

  • The mainboard ASUS F2A85-M is currently the best choice for a desktop platform, because it is widely supported by Coreboot. (cost: ~ 40 $)
  • As we found out before AMD’s Piledriver CPU architecture (codenames Trinity and Richland) is the latest one which does NOT include those (in)secure technologies. The AMD A10-5800K is the most compatible and powerful CPU/APU you can run on with Coreboot on this mainboard. (cost: ~ 50 $)
  • Pick any adequate CPU cooler you want which is supprting the FM2 socket. I am using a good old Arctic Freezer A30 with a silent 120mm fan. (cost: ~ 30 $)
  • DDR3-1866 RAM is the fastest RAM speed our CPU is supporting. The amout depends just on your personal demands. With a minimum of 8 GB we should be good to go. (cost: ~ 50 $)
  • A S-ATA harddrive for the operating system. Think about using a SSD if you want a fast system. Remember to encrypt your partitions and/or files – especially if you are using a SSD. (cost: ~50 $)
  • In the CPU above the graphics are onboard and included within the CPU. So there is no need to buy a dedicated one.
  • As a power supply any standard ATX AC adapter will work. (cost: ~ 30 $)
  • Choose a computer case according to your personal preferences. I like the Bitfenix Prodigy M. Remember: Not all micro ATX cases are suitable for taking bigger/higher CPU coolers. This one takes and Freezer A30 perfectly. (cost: ~ 50 $)
  • In order to flash the BIOS chip via SPI we need the CH341A USB Programmer. (cost: ~ 15 $)
  • I recommend *strongly* to buy a separate Winbond W25Q64FVAIG or W25Q64BVAIG spare chip in order to flash the Coreboot build onto it. There are people who flash the onboard chip during a running system but this process can fail and in my opinion it’s better to have a fallback – just in case flashing or extraction have failed. (cost: ~ 10 $)


4. Assembling your computer

I assume you know how to assemble a computer so now it’s a good time to do so. Make sure your DDR3 RAM is placed into the BLUE SLOTS. Otherwise your computer won’t boot up.


5. Extracting the VGA BIOS binary blob

Unfortunately the internal GPU won’t work unless we integrate its binary into the Coreboot ROM.

You can downoad now the which contains the vgabios.bin I have extracted or do it on your own according to the coreboot guide:

  • Boot up a linux live Distro like Ubuntu from your prepared pendrive
  • Check the ID by issueing “lspci -tvnn”. As you can see my ID of the GPU is 1002:9901. Write the ID down. We will need it later to build the Coreboot ROM.
    lspci -tvnn
    -[0000:00]-+-00.0 Advanced Micro Devices, Inc. [AMD] Family 15h (Models 10h-1fh) Processor Root Complex [1022:1410]
               +-00.2 Advanced Micro Devices, Inc. [AMD] Family 15h (Models 10h-1fh) I/O Memory Management Unit [1022:1419]
               +-01.0 Advanced Micro Devices, Inc. [AMD/ATI] Trinity [Radeon HD 7660D] [1002:9901]
               +-01.1 Advanced Micro Devices, Inc. [AMD/ATI] Trinity HDMI Audio Controller [1002:9902]
  • For enabling to read the ROM we need to set a enablement bit 1 to the correspondig address 0000:00:01.0 which we found above:
    echo 1 > /sys/devices/pci0000:00/0000:00:01.0/rom
  • Now we can extract the VGA BIOS into a binary. Copy the vgabios.bin file onto a pendrive.
    cp /sys/devices/pci0000:00/0000:00:01.0/rom vgabios.bin



6. Building the Coreboot ROM

  • If you want to skip this step or encounter unsolvable errors prohibiting you to generate the ROM you can download and extract my generated one:
  • Now we need to prepare our Linux system which should be running on another or even a virtual machine.
    • On your Debian/Ubuntu you will need to install these packages: git, build-essential, gnat, flex, bison, libncurses5-dev, wget, zlib1g-dev. You can install them by simply typing into the terminal:
      sudo apt-get install git build-essential gnat flex bison libncurses5-dev wget zlib1g-dev
    • On Arch Linux/Manjaro you will need to install these packages: base-devel (default repo) and coreboot-utils-git (AUR).
  • Choose a directory in which the coreboot-directory should be placed. Clone the current Coreboot repo:
    git clone
  • Change into the repo folder
    cd coreboot
  • Set up a new local branch
    git checkout -b mybranch
  • Tell GIT to jump back to commit f516dd8b40a5221780865b40ed51d16cbbc91e56
    git reset --hard f516dd8b40a5221780865b40ed51d16cbbc91e56
  • Check out the sub-repos (3rdparty directory)
    git submodule update --init --checkout
  • Copy my uploaded or your extracted vgabios.bin to the coreboot root directory (our present directory).
  • Run the configuration wizard
    make nconfig
  • Set up the following parameters:
    • Submenu Mainboard: Choose ASUS as vendor and F2A85-M as model.
    • Submenu Mainboard: Choose the DDR3 memory voltage. Refer to your vendor’s website if you are unsure.
    • Submenu Chipset: Add xhci and imc firmware. The paths are already set correctly.
    • Submenu Devices: Add your VGA BIOS image (your extracted one, or mine) and make sure the PCI ID is matching yours by typing in the right values.
  • Press F6 to save the current configuration under .config and exit with F9.
  • Build the Compiler. CPUS=4 means it will use 4 cores to compile. Adjust this value to meet your number of cores. Be patient, this process takes some time. In my case I had to wait around 10-20 minutes.
    make crossgcc-i386 CPUS=4
  • Finally we are able to build the ROM. You will find the generated coreboot.rom in a subfolder called build.


7. Flashing the Coreboot ROM

  • Place your spare chip on the USB programmer and plug it into a USB port on your Linux machine.
  • Install flashrom under Debian/Ubuntu by
    sudo apt-get install flashrom
  • Flash your spare chip now with your generated coreboot.rom:
    sudo flashrom -w build/coreboot.rom --programmer ch341a_spi

    or my coreboot-5800k-vga-xhci-imc.rom (which should be copied into the coreboot root directory):

    sudo flashrom -w coreboot-5800k-vga-xhci-imc.rom --programmer ch341a_spi
  • If you get the following notifications your old chip is ready 🙂
    Found Winbond flash chip "W25Q64.V" (8192 kB, SPI).
    Erase/write done.
    Verifying flash... VERIFIED.
  • Replace your old BIOS chip by the new flashed one during your system is switched off. Be careful not to bend a pin. So-called DIP8 pliers might help you to release the chip from the board.
  • Just in case you mess something up you can download a fresh vendor’s copy of the original BIOS/UEFI v6002 image.


8. Congratulations. Your system is ready to go.



Cybersecurity: CPU and system alternatives without Intel ME iAMT and AMD PSP / Secure Technology