Remotely unlock a full disk encrypted Fedora/CentOS server

The idea here is to be able to power on and unlock a remote Full Disk Encrypted (FDE from now on) server.
I will leave the how “remotely power on” to the reader to figure out and focus on the other part.
The easiest way to accomplish it is by using a program called: dracut-crypt-ssh.


$ yum install dropbear dracut dracut-network openssh libblkid-devel gcc
$ git clone https://github.com/dracut-crypt-ssh/dracut-crypt-ssh.git
$ cd dracut-crypt-ssh
$ ./configure
$ make
$ sudo make install

After compiling and installing dracut-crypt-ssh configure grub to instruct dracut to add networking to initramfs:


$ vi /etc/default/grub
---
GRUB_CMDLINE_LINUX="... rd.neednet=1 ip=dhcp"

$ grub2-mkconfig -o /boot/grub2/grub.cfg

Configure your router so that it assigns a static IP address to the server NIC from which dropbear will be listening to.
Generate a pair of RSA and ECDSA static keys for dropbear:


$ cd /etc/dropbear/keys
$ openssl genrsa -out rsa.pem 2048
$ openssl rsa -in rsa.pem -outform PEM -pubout -out rsa.pem.pub
$ openssl ecparam -name prime256v1 -genkey -noout -out ecdsa.pem
$ openssl ec -in ecdsa.pem -pubout -out ecdsa.pem.pub

Copy the public keys of the clients from which you want to connect to the encrypted server in /etc/dropbear/keys/authorized_keys and configure dropbear so that it knows which keys are to be added to the initramfs image:


$ vi /etc/dracut.conf.d/crypt-ssh.conf
---
dropbear_port="222"
dropbear_rsa_key="SYSTEM"
dropbear_ecdsa_key="SYSTEM"
dropbear_rsa_key="/etc/dropbear/keys/rsa.pem"
dropbear_ecdsa_key="/etc/dropbear/keys/ecdsa.pem"
dropbear_acl="/etc/dropbear/keys/authorized_keys"

$ dracut -f

Copy your client’s PC public key to /etc/dropbear/keys/authorized_keys and rebuild initramfs using dracut -f.
Reboot the computer and connect to the dropbear SSH daemon:


$ ssh -p 222 root@server_hostname
$ console_auth
...type_in_your_password...

Alternatively, it is possible to store the encrypted volumes password in a GPG encrypted file and redirect its content to the unlock program which is running in the initramfs environment:


$ gpg -d password.gpg | ssh -p 222 root@server_hostname unlock

.:. Links

dracut-crypt-ssh