How to create and open an encrypted Ubuntu Linux 18.04 server with Dropbear through SSH
Tags: Full Disk Encryption, Ubuntu Linux, Dropbear, SSH
Last update: Dec 2019
Some of you are security-aware and would like to install a full disk encryption on a new system. But you’ll face a problem: Once the machine reboots and you’re not around to type in the password, the machine will simply not boot up. For come over that issue you can use a small SSH listener called Dropbear which loads up during the very beginning of the boot process. Only if you authenticate with your correct RSA key, you can log on to the machine, provide the password for uncrypting the filesystem and will be kicked out again while the machine will finish its bootup.
– Freshly installed and encrypted Ubuntu 18.04 server (headless installation – no GUI).
– You should know how to use the linux terminal and the text editor nano.
– I advice you to tell your DHCP router to provide always the same IP to the machine. Otherwise the IP will change/increment every time you boot it up.
1. Let’s ensure we have all updates installed:
sudo apt update sudo apt dist-upgrade
Install the required additional dropbear package:
sudo apt-get --assume-yes install dropbear-initramfs
You’ll notice that during package installation some keys will be automatically generated:
– DSA 1024 key for root
– RSA 2048 key for root
– ECDSA521 key for root
2. Edit the config file:
sudo nano /etc/dropbear-initramfs/config
Uncomment the DROPBEAR_OPTIONS line and add a second port where SSH should listen on:
3. Since only public key authentication is allowed we need to create and fill up our authorized_keys file:
sudo nano /etc/dropbear-initramfs/authorized_keys
Fill it with the only allowed command and append your ssh-rsa key:
command="/bin/cryptroot-unlock" ssh-rsa YOUR_KEY
4. Apply the changes and reboot:
sudo update-initramfs -u sudo reboot
5. Now you can login to your machine for instance with:
ssh root@MACHINE_IP -p YOUR_PORT -i ~/.ssh/YOUR_KEY_FILE
– https://seeseekey.net/archive/122144/ (Hetzner specific)
This worked like a charm with a standard ubuntu install.