sylvaindurand.org

Remotely unlock an encrypted system

I self-host a server under Arch Linux on which are stored various personal data: documents, photos, music, videos... Its data are fully encrypted, including the main system, to avoid any risk -- in case of burglary for example.

Arch Linux with full encryption

However, encrypting the whole system raises a difficulty: a password is needed at every reboot. This means that it is necessary to connect a keyboard and a screen to the server, which is not necessarily practical if it is only intended to be accessed only by SSH.

Above all, this server must remain constantly available: in case of power failure or malfunction, it must be able to be restarted without me necessarily being on site.

The solution is simple: when the password prompt appears, launch a minimal SSH session that allows to enter the password.

This article is directly inspired by the dm-crypt/Specialties page from the Arch Linux wiki, which shows different ways to do this. It assumes that you already have a fully functioning encrypted system.

Arch Wiki: dm-crypt/Specialties

Packages

We will use `mkinitcpio-netconf`, which allows network access during the early boot phase, `mkinitcpio-tinyssh` and `tinyssh-convert` to initiate SSH access, and `mkinitcpio-utils` to get a session:

sudo pacman -Syu mkinitcpio-netconf \
                 mkinitcpio-tinyssh \
                 tinyssh-convert \
                 mkinitcpio-utils

Network

To get network access, it is necessary to pass connection information with the `ip` option to the kernel at boot time. My server connects directly with DHCP on the eth0 interface, so I use :

ip=:::::eth0:dhcp

If your router connects without DHCP to a static IP, we can use :

ip=192.168.1.1:::::eth0:none

If you need to connect via wifi, the AUR package `mkinitcpio_wifi`: the documentation is detailed here:

Arch Wiki: Remote unlock via wifi.

Key

To connect at startup, it is necessary to send your public key. TinySSH only accepts Ed25519 or ECDSA keys; I use the first type with `ssh-keygen -t ed25519 -a 100`.

This public key must be placed in the `/etc/tinyssh/root_key` file.

To use the same key that you already use to SSH into the server, just copy it:

cp ~/.ssh/authorized_keys /etc/tinyssh/root_key

Launching in the boot sequence

Finally, we modify the `/etc/mkinitcpio.conf` file to replace `encrypt` with `netconf tinyssh encryptssh` in the line that starts with `HOOKS`.

Finally, we incorporate the changes with `sudo mkinitcpio -P`.

Locally

All that remains is to create a simple configuration, locally, to unlock your server. We modify `~/.ssh/config` with :

Host unlock
  Hostname domain.tld
  User root
  IdentityFile ~/.ssh/key

Then, when the machine is waiting for the password at startup, you just have to run `ssh unlock` to be able to type the password!