Remotely unlock a full disk encrypted Fedora/CentOS server · uwot.eu
another meaningless subtitle

Remotely unlock a full disk encrypted Fedora/CentOS server

· by fabio · Read in about 2 min · (224 Words)
Fedora CentOS Full Disk Encryption LUK2 dropbear

The idea here is to be able to power on and unlock a remote Full Disk Encrypted (FDE from now on) server.
I will leave the how “remotely power on” to the reader to figure out and focus on the other part.
The easiest way to accomplish it is by using a program called: dracut-crypt-ssh.

$ yum install dropbear dracut dracut-network openssh libblkid-devel gcc
$ git clone https://github.com/dracut-crypt-ssh/dracut-crypt-ssh.git
$ cd dracut-crypt-ssh
$ ./configure
$ make
$ sudo make install

After compiling and installing dracut-crypt-ssh configure grub to instruct dracut to add networking to initramfs:

$ vi /etc/default/grub
---
GRUB_CMDLINE_LINUX="... rd.neednet=1 ip=dhcp"

$ grub2-mkconfig -o /boot/grub2/grub.cfg

Configure your router so that it assigns a static IP address to the server NIC from which dropbear will be listening to.
Also configure dropbear so that it gets included in the initramfs:

$ vi /etc/dracut.conf.d/crypt-ssh.conf
---
dropbear_port="222"
dropbear_rsa_key="GENERATE"
dropbear_ecdsa_key="GENERATE"
dropbear_acl="/etc/dropbear/keys/authorized_keys"

$ dracut -f

Copy your client’s PC public key to /etc/dropbear/keys/authorized_keys and rebuild initramfs using dracut -f.
Reboot the computer and connect to the dropbear SSH daemon:

$ ssh -p 222 root@server_hostname
$ console_auth
...type_in_your_password...

Alternatively, it is possible to store the encrypted volumes password in a GPG encrypted file and redirect its content to the unlock program which is running in the initramfs environment:

$ gpg -d password.gpg | ssh -p 222 root@server_hostname unlock

dracut-crypt-ssh