$ [email protected]

How to access a remote server with an encrypted root partition (LUKS + busybox + dropbear)

I recently had challenge where I needed to fully encrypt a disk of a server and then send it over to a datacenter where I only had access to it via SSH. (no KVM console access or iLO)

As you know, when you fully encrypt the disk of Linux OS with LUKS, the filesystem will not be mounted and services will not start until the passphrase to unlock it is provided. That means no SSH until you enter the password either through KVM console, iLO or some other method of direct access.

Luckily there is way of solving this problem by using a lightweight SSH server such as dropbear that can run inside initramfs.

Here’s how I did it:

  1. First, fully encrypt your server’s disk using LUKS. My OS was Ubuntu 22 and I did this during OS installation.
  2. Then, install the following packages on the server:
apt install dropbear busybox dropbear-initramfs
  1. Edit the dropbear configuration file located at /etc/default/dropbear. This is how I configured it:
# disabled because OpenSSH is installed
# change to NO_START=0 to enable Dropbear
NO_START=0
# the TCP port that Dropbear listens on
DROPBEAR_PORT=22

# any additional arguments for Dropbear
DROPBEAR_EXTRA_ARGS="-s"

# specify an optional banner file containing a message to be
# sent to clients before they connect, such as "/etc/issue.net"
DROPBEAR_BANNER=""

# RSA hostkey file (default: /etc/dropbear/dropbear_rsa_host_key)
DROPBEAR_RSAKEY="/etc/dropbear/initramfs/dropbear_rsa_host_key"
# DSS hostkey file (default: /etc/dropbear/dropbear_dss_host_key)
#DROPBEAR_DSSKEY="/etc/dropbear/initramfs/dropbear_dss_host_key"

# ECDSA hostkey file (default: /etc/dropbear/dropbear_ecdsa_host_key)
DROPBEAR_ECDSAKEY="/etc/dropbear/initramfs/dropbear_ecdsa_host_key"

# ED25519 hostkey file (default: /etc/dropbear/dropbear_ed25519_host_key)
DROPBEAR_ED25519KEY="/etc/dropbear/initramfs/dropbear_ed25519_host_key"

# Receive window size - this is a tradeoff between memory and
# network performance
DROPBEAR_RECEIVE_WINDOW=65536

NO_START=0 enables dropbear startup. The -s option disables root login with password.

  1. Edit /etc/initramfs-tools/initramfs.conf and set BUSYBOX=y
  2. Place your public keys at /root/.ssh/authorized_keys as well as /etc/dropbear/initramfs/authorized_keys
  3. Update initramfs:
sudo update-initramfs -u
  1. And finally, disable sshd.service
systemctl stop sshd.service
systemctl disable sshd.service

If you don’t want to disable sshd, then you have to change the dropbear port in its configuration file to something else.

  1. Reboot the server and wait for it to come back up
  2. Now ssh into the server using the private key which corresponds to the public key placed on the server.
ssh -i ~/.ssh/my_private.id_rsa root@<your-encrypted-server-ip>
  1. When you login you should see a dialog box like this:
To unlock root partition, and maybe others like swap, run `cryptroot-unlock`.


BusyBox v1.30.1 (Ubuntu 1:1.30.1-7ubuntu3) built-in shell (ash)
Enter 'help' for a list of built-in commands.
  1. Run the cryptroot-unlock to unlock the filesystem and enter your LUKS passphrase.
  2. And we’re done! you now have access to the filesystem.
May 7, 2024