Unlocking Ubuntu Server 16 encrypted LUKS using Dropbear SSH

This is base on the following 3 reference. From all 3 there were part missing or not cleared to me so I put all my notes on how I got this working here.
The reference are:Ref 1, Ref 2 and Ref 3

Install dropbear and busybox
sudo apt-get install dropbear busybox

The initramfs config file can be found here:
/etc/initramfs-tools/initramfs.conf
Ensure the following setting BUSYBOX=y and DROPBEAR=y

The host keys used for the initramfs are dropbear_dss_host_key and dropbear_rsa_host_key
ls /etc/initramfs-tools/etc/dropbear/

If the do not exist you can create them:
dropbearkey -t dss -f /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
dropbearkey -t rsa -f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key

Create the directory that will store the keys for Public Key authentication.
sudo mkdir /etc/initramfs-tools/root
sudo mkdir /etc/initramfs-tools/root/.ssh

Generate dropbearkey keys
sudo dropbearkey -t rsa -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear

Convert from dropbear format to openssh format
sudo /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/initramfs-tools/root/.ssh/id_rsa.dropbear /etc/initramfs-tools/root/.ssh/id_rsa

Extract the public Key from id_rsa.dropbear
sudo touch /etc/initramfs-tools/root/.ssh/id_rsa.pub
sudo chmod ogu+rw /etc/initramfs-tools/root/.ssh/id_rsa.pub
sudo dropbearkey -y -f /etc/initramfs-tools/root/.ssh/id_rsa.dropbear | grep "^ssh-rsa " > /etc/initramfs-tools/root/.ssh/id_rsa.pub

To add the public key to the authorized_keys file:
sudo touch /etc/initramfs-tools/root/.ssh/authorized_keys
sudo chmod ogu+rw /etc/initramfs-tools/root/.ssh/authorized_keys
sudo cat /etc/initramfs-tools/root/.ssh/id_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys

Enable the start of dropbear
sudo vi /etc/default/dropbear
change NO_START=1 to NO_START=0

sudo vim /etc/initramfs-tools/hooks/crypt_unlock.sh
Copy paste this file from: gusennan sh script in the file

Make it executable
sudo chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

Update your initramfs on the server
sudo update-initramfs -u

Disable the dropbear service on boot so openssh is used after partition is decrypted
sudo update-rc.d dropbear disable

If the server has a static IP then the additional config is needed. For example if the server configuration looks like this:
auto ens160
iface ens160 inet static
address 10.105.16.153
netmask 255.255.255.0
gateway 10.105.16.1
dns-nameservers 10.100.16.16 10.105.16.16

sudo vi /etc/initramfs-tools/initramfs.conf
Find the line DEVICE= and underneath it, add a line in this format
IP=10.105.16.153::10.105.16.1:255.255.255.0::ens160:off
Then edit the following file:
sudo vim /usr/share/initramfs-tools/scripts/init-bottom/dropbear
and add the following line at the bottom of the file
ifconfig ens160 0.0.0.0 down

Disable the dropbear service on boot to allow OpenSSH to start correctly
sudo update-rc.d -f dropbear remove

Copy the private Key to the home drive, change the owner from root and download it to local PC
sudo cp /etc/initramfs-tools/root/.ssh/id_rsa ~/id_rsa
sudo chown alexis:alexis id_rsa

Use and SFTP client to get it off the server

On the client side (To use Putty)

Convert it from RSA to a putty key
Start puttygen.exe then Conversions > Import Key
Click on Save “Private Key”

run putty.exe
Under Connection > Data > Auto-Login username = “root”
Under Connection > SSH > Auth > Browse and add the converted private key

Reboot the server and wait for Ping to respond.
SSH onto the server
#unlock

UPDATE: 01/08/2017
After upgrading ubuntu the following step need to be done again
sudo vim /usr/share/initramfs-tools/scripts/init-bottom/dropbear
and add the following line at the bottom of the file
ifconfig ens160 0.0.0.0 down

sudo update-rc.d -f dropbear remove
sudo update-initramfs -u

Tags: ,

About Alexis Katsavras

Working as Freelance Cisco Unified Communications Consultant in the UK. www.NetPacket.co.uk