As I wrote in my last posts I want to use my ROCK Pi 4 as a home server. I installed a libre bootloader and then Debian with an encrypted root filesystem. Here I wrote down how I managed to be able to unlock my encrypted partition via SSH.
Dropbear is a small SSH server (and client). The idea is to integrate it in my initial RAM file system only to be able to connect to my ROCK Pi 4 via SSH at boot time to type in my dm-crypt passphrase. After that the SSH connection will be closed and the boot process will proceed as expected.
Install and configure dropbear-initramfs
First, I install the Debian package dropbear-initramfs (and all its dependencies). Then I configure Dropbear by editing one line in its main configuration file.
stefan@uvauwe:~$ sudo apt install dropbear-initramfs
stefan@uvauwe:~$ sudo editor /etc/dropbear/initramfs/dropbear.conf# Command line options to pass to dropbear(8)
#
DROPBEAR_OPTIONS="-jk -p 2222 -c cryptroot-unlock"Options -j and -k disable local / remote port forwarding. I won’t need any port forwarding.
With option -p 2222 Dropbear listens on port 2222. I use another port for the Dropbear server in initramfs than for the main SSH server on my ROCK Pi 4 because they use different host keys. When I try to connect to a host via SSH for the first time, I have to confirm its authenticity. To be able to do so I get a key fingerprint I can check. As soon as I verify this key fingerprint the connection is established and the host’s public key is added to my ~/.ssh/known_hosts file. Now when I connect to the same host again but now it uses another key the connection will not be established because host key verification fails. As far as I know using different ports for the two SSH server is the easiest way to avoid this.
Option -c forces the given command (in my case cryptroot-unlock) as soon as the connection is established.
By the way, options -F (don’t fork into background) and -s (disable password logins) are enabled by default when dropbear is integrated in initramfs (see script /usr/share/initramfs-tools/scripts/init-premount/dropbear).
Enable public key authentication
With option -s enabled by default password logins are disabled, so I’ll use public key authentication. For that to work I only need to copy my SSH client’s public key (on my laptop) to dropbear’s /etc/dropbear/initramfs/authorized_keys file (on my home server):
stefan@librem14:~$ cat .ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNhMKegphuiSrT3fHXc/VkgWR5UkdNq3vh/ReX+Klcs stefan@librem14stefan@uvauwe:~$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNhMKegphuiSrT3fHXc/VkgWR5UkdNq3vh/ReX+Klcs stefan@librem14" | sudo tee -a /etc/dropbear/initramfs/authorized_keys > /dev/nullNetwork configuration
The network configuration for initramfs can be set up by using the ip= kernel boot parameter (see the Linux documentation for details). I create a file /etc/initramfs-tools/conf.d/ip and paste the boot parameter:
stefan@uvauwe:~$ echo "ip=192.168.0.2::192.168.0.1:255.255.255.240:uvauwe::none" | sudo tee -a /etc/initramfs-tools/conf.d/ipI use a static network configuration. My ROCK Pi 4 should have the IP address 192.168.0.2, the IP address of its gateway is 192.168.0.1, the netmask is 255.255.255.240, the hostname is uvauwe and I want to disable autoconfiguration. By the way, for a DHCP client configuration the boot parameter could look as simple as this: ip=dhcp
Generate an initramfs image
Finally, I have to update the initramfs image to make the changes affective. Let’s reboot and see if everything works as expected!
stefan@uvauwe:~$ sudo update-initramfs -u -k all
stefan@uvauwe:~$ sudo rebootUnlock the encrypted root filesystem via SSH
Now I can connect to my ROCK Pi 4 via SSH and unlock the encrypted root filesystem. This only works as superuser and I have to use the port I specified in Dropbear’s configuration file (see above).
stefan@librem14:~$ ssh root@192.168.0.2 -p 2222
Please unlock disk md0_crypt:
cryptsetup: md0_crypt set up successfully
Connection to 192.168.0.2 closed.