Remotely unlock a full disk encrypted Fedora 33 server
Last year I blogged on how to remotely unlock a full disk encrypted Fedora/CentOS server.
The software I used, dracut-crypt-ssh,
is not supported anymore and stopped working for me on Fedora 32 and 33.
A quick DDG search pointed me in the right direction and made me find a similar
software that accomplishes the same task: dracut-sshd.
$ sudo dnf install dracut dracut-network openssh libblkid-devel gcc
$ git clone https://github.com/gsauthof/dracut-sshd.git
$ cd dracut-sshd
$ sudo cp -ri 46sshd /usr/lib/dracut/modules.d
After compiling and installing dracut-crypt-ssh configure grub to instruct
dracut to add networking to initramfs:
$ sudo vi /etc/default/grub
---
GRUB_CMDLINE_LINUX="... rd.neednet=1 ip=dhcp"
$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
Configure your router so that it assigns a static IP address to the server NIC
from which the initramfs SSH server will be listening from.
Copy the public keys of the clients from which you want to connect to the encrypted
server in /root/.ssh/authorized_keys, content of this file will be included in
the initramfs image.
Finally rebuild the initramfs, check the command output to make sure sshd module
is included:
$ sudo dracut -f -v
Reboot the server, connect to it vi SSH and remotely unlock it:
$ ssh root@<server_hostname>
$ systemd-tty-ask-password-agent
...type_in_your_password...