Remotely unlock a full disk encrypted Fedora 40 server
What I have been doing in 2020
and before
doesn’t seem to work anymore, ence it is time to publish a new episode of the
saga: how to remotely unlock a full disk encrypted Linux machine.
dracut-sshd still works perfectly
even though the surroundings changed a bit.
First step is instructing dracut to add dracut-sshd into initramfs:
$ sudo dnf install dracut dracut-network openssh
$ git clone https://github.com/gsauthof/dracut-sshd.git
$ cd dracut-sshd
$ sudo cp -ri 46sshd /usr/lib/dracut/modules.d
Configure grub to instruct dracut to add networking to initramfs:
$ sudo vi /etc/dracut.conf.d/90-network.conf
---
add_dracutmodules+=" network "
---
$ sudo vi /etc/default/grub
---
GRUB_CMDLINE_LINUX="... rd.neednet=1 ip=eth0:dhcp"
---
$ sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
Configure your router so that it assigns a static IP address to the server NIC
from which the initramfs SSH server will be listening from.
Copy the public keys of the clients from which you want to connect to the encrypted
server in /root/.ssh/authorized_keys, content of this file will be included in
the initramfs image.
Finally rebuild the initramfs, check the command output to make sure sshd module
is included:
$ sudo dracut -f -v
Reboot the server, connect to it vi SSH and remotely unlock it:
$ ssh root@<server_hostname>
$ systemd-tty-ask-password-agent
...type_in_your_password...