Unlocking Luks Encrypted Disk via SSH on Ubuntu Server

Dimas Maulana DevOps

08-11-2024

Contents

This article provides a step-by-step procedure for unlocking and accessing a Luks encrypted disk using SSH on an Ubuntu server.

Install Dropbear

To enable SSH access on your Ubuntu server, you’ll need to install Dropbear. Run the following commands:

1
2
3


sudo apt update
sudo apt upgrade
sudo apt install dropbear-initramfs

Configure Dropbear

Edit the /etc/dropbear/initramfs/dropbear.conf file and add the following configuration:

1
2


Config DROPBEAR_OPTIONS:
DROPBEAR_OPTIONS="-s -j -k -p 2222 -I 60"

This configuration enables secure (private key-based) SSH connections, sets the port to 2222, and sets the idle timeout to 60 seconds.

Set Static IP Address

Edit the /etc/initramfs-tools/initramfs.conf file and add the following configuration:

1

IP=192.168.1.10::192.168.1.1:255.255.255.0:hostname

This sets a static IP address for your server.

Generate Initramfs Image

Update the initramfs image to include the new configuration:

1

sudo update-initramfs -u

Add Public Keys to Authorized Keys File

Copy the public key from your local machine to the /etc/dropbear/initramfs/authorized_keys file. You can do this by running cat /path/to/public/key > /etc/dropbear/initramfs/authorized_keys.

Unlock Luks Encrypted Disk via SSH

To unlock the Luks encrypted disk, you’ll need to use the cryptroot-unlock command from within an SSH session. Run the following commands:

1

sudo fuser -c -e cryptroot /dev/mapper/your-luks-device-name

Replace /dev/mapper/your-luks-device-name with the actual device name of your Luks encrypted disk.

Once you’ve unlocked the disk, you can access its contents using standard Linux commands. You’ll be prompted to enter the unlock password when connected via SSH.

Update Initramfs and Restart OS

Update the initramfs image again:

1

sudo update-initramfs -u

Restart your Ubuntu server to apply the new configuration.

When you restart, you should be able to access your Luks encrypted disk and unlock it via SSH using the cryptroot-unlock command.

Verify SSH Connection and Unlock Luks Encrypted Disk

Once connected via SSH, you can verify that the connection is working by running ssh -v or ssh -T.

If you want to unlock your Luks encrypted disk again during this SSH session, you can run:

1

cryptroot-unlock

Enter the unlock password when prompted. You’ll be able to access the contents of your Luks encrypted disk using standard Linux commands.

That’s it! You should now be able to access your Ubuntu server via SSH and unlock the Luks encrypted disk.