Remote disk unlock

You can enable remote disk unlock to enter your disk unlock password over the network. This is most useful for servers, which might not have a keyboard or display attached, but it works for any PureOS system.

Enable remote disk unlock

  1. Open a terminal emulator.

    • On systems with a desktop environment, launch a terminal emulator.

    • On systems with no desktop environment, a terminal emulator starts by default once you log in.

  2. Install packages: sudo apt install -y dropbear-initramfs

    • Commands using sudo may prompt for your password. If so, type your password and press Enter. For security, nothing is shown on the screen when typing.

  3. Apply configuration for Dropbear: sudo sed -E -e 's|^#?DROPBEAR_OPTIONS=.*|DROPBEAR_OPTIONS="-I 180 -j -k -p 4522 -s -c cryptroot-unlock"|' -i /etc/dropbear/initramfs/dropbear.conf

    • This applies the following configuration options:

    • -I 180: Disconnect clients if there is no activity for 180 seconds (3 minutes).

    • -j -k: Disable local and remote port forwarding.

    • -p 4522: Listen on port 4522.

    • -s: Do not allow password logins (we will log in with an SSH public key).

    • -c cryptroot-unlock: Only allow unlocking the disk (do not allow running other commands).

  4. Configure boot networking:

    • For DHCP automatic addresses: echo "IP=::::$(hostname)-init::dhcp" | sudo tee /etc/initramfs-tools/conf.d/ip.conf

    • For static addresses, consult the documentation for the ip= command line parameter.

Next, authorize a client to connect during boot.

Authorize a client to connect

  1. On the server, enable remote SSH access if you have not already done so.

  2. On the client, open a terminal.

  3. On the client, create an SSH key pair if you have not already done so.

    • If you are not sure, run: ls ~/.ssh/*.pub

    • If any files are found, you have an SSH key pair.

    • If no files are found, create an SSH key pair:

      1. Run in the terminal: ssh-keygen -t ed25519

      2. When asked where to save the key, press Enter to accept the default.

      3. When asked for a passphrase, press Enter twice if you do not need to protect this key with a passphrase. If you do want to protect the key, enter the passphrase at each prompt.

  4. Copy your local SSH public key to the server. On the client: rsync ~/.ssh/id_ed25519.pub <username>@<hostname>.local:~/next_key.pub

    • Your local SSH key might have a different name than id_ed25519.pub if you created a different type of SSH key.

  5. Authorize this key and update the initramfs. On the server: cat ~/next_key.pub | sudo tee -a /etc/dropbear/initramfs/authorized_keys; sudo update-initramfs -u -k all

Unlock remotely

  1. Power on the server.

  2. When the server is ready to unlock the disk, find the server’s IP address.

    • For DHCP automatic addressing, check your DHCP server for the address assigned to <hostname>-init. In home/small office networks, the DHCP server is usually your router.

    • For static addressing, use the static address you assigned.

  3. On the authorized client, connect to the server: ssh -p 4522 root@<address>

  4. If this is your first time connecting from this system, SSH will ask to confirm the server’s identity. On a trusted network, you can type yes and press Enter. SSH will save this identity and use it to authenticate the server in the future.

    The authenticity of host '[172.21.1.191]:4522 ([172.21.1.191]:4522)' can't be established.
ED25519 key fingerprint is SHA256:jNvyq0MREPrdHO+H/tgtI5N24Bgl4l1fORCSXTnoB6Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

  5. The server will prompt for the disk unlock password; type it and press Enter.