sylvain durand

Remotely unlock an encrypted system

I self-host a server under Arch Linux on which are stored various personal data: documents, photos, music, videos… Its data are fully encrypted, including the main system, to avoid any risk – in case of burglary for example.

However, encrypting the whole system raises a difficulty: a password is needed at every reboot. This means that it is necessary to connect a keyboard and a screen to the server, which is not necessarily practical if it is only intended to be accessed only by SSH.

Above all, this server must remain constantly available: in case of power failure or malfunction, it must be able to be restarted without me necessarily being on site.

The solution is simple: when the password prompt appears, launch a minimal SSH session that allows to enter the password.

This article is directly inspired by the dm-crypt/Specialties page from the Arch Linux wiki, which shows different ways to do this. It assumes that you already have a fully functioning encrypted system.

Packages

We will use mkinitcpio-netconf, which allows network access during the early boot phase, mkinitcpio-tinyssh and tinyssh-convert to initiate SSH access, and mkinitcpio-utils to get a session:

sudo pacman -Syu mkinitcpio-netconf \
                 mkinitcpio-tinyssh \
                 tinyssh-convert \
                 mkinitcpio-utils

Network

To get network access, it is necessary to pass connection information with the ip option to the kernel at boot time. My server connects directly with DHCP on the eth0 interface, so I use:

ip=:::::eth0:dhcp

If your router connects without DHCP to a static IP, we can use:

ip=192.168.1.1:::::eth0:none

If you need to connect via wifi, the AUR package mkinitcpio_wifi: the documentation is detailed here.

Key

To connect at startup, it is necessary to send your public key. TinySSH only accepts Ed25519 or ECDSA keys; I use the first type with ssh-keygen -t ed25519 -a 100.

This public key must be placed in the /etc/tinyssh/root_key file.

To use the same key that you already use to SSH into the server, just copy it:

cp ~/.ssh/authorized_keys /etc/tinyssh/root_key

Launching in the boot sequence

Finally, we modify the /etc/mkinitcpio.conf file to replace encrypt with netconf tinyssh encryptssh in the line that starts with HOOKS.

Finally, we incorporate the changes with sudo mkinitcpio -P.

Locally

All that remains is to create a simple configuration, locally, to unlock your server. We modify ~/.ssh/config with:

Host unlock
  Hostname domain.tld
  User root
  IdentityFile ~/.ssh/key

Then, when the machine is waiting for the password at startup, you just have to run ssh unlock to be able to type the password!