Set of shell scripts to allow unlocking of full disk encrypted Ubuntu and Debian installs through console, USB-key or SSH.
Switch branches/tags
Nothing to show
Clone or download
chadoe Merge pull request #13 from p4xel/master
Update to reflect changes to dropbear-initramfs
Latest commit c3bdbc3 Jul 7, 2017
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md Fix ubuntu 16.04 update-initramfs error. Apr 23, 2016
crypto-usb-key.sh Declare variables as local. Feb 13, 2015
install.sh Update to reflect changes to dropbear-initramfs Jul 1, 2017

README.md

luks-triple-unlock

Set of shell scripts to allow unlocking of full disk encrypted Ubuntu and Debian installs through console, USB-key or SSH.

Use at your own risk, I'm not responsable for any damage this script might do to your system, make backups, make sure you have a safe boot option, test it in a VM first... etc. etc.

Tested on:

  • Ubuntu server 14.10-16.04 (no desktop)
  • Debian 7.8-8.3 (no desktop)

Usage:

  • Install Ubuntu server or Debian with full disk encrypted LVM
  • sudo apt-get install -y git-core
  • git clone --depth 1 https://github.com/chadoe/luks-triple-unlock.git && cd luks-triple-unlock
  • sudo ./install.sh [keyfile], it will ask you for the passphrase for the luks drive, keyfile is a path to a file you want to use as a key for the luks volume, this file will be read from an USB flash drive ext(2/3/4)/fat32/ntfs partition on boot. If no keyfile provided on the commandline a file .keyfile will be generated in the current directory.
  • sudo reboot

Ways to unlock your machine:

  • from the console
  • from SSH. Copy /etc/initramfs-tools/root/.ssh/id_rsa, this is the private key you need to log into dropbear (no password, root@machinename). When you connect it will ask you for the passphrase to unlock the machine.
  • with an USB flash drive. Copy .keyfile (or the file you provided on the commandline to ./install.sh) to any ext(2/3/4)/fat32/ntfs partition on an USB flash drive. Stick it in the machine and boot, it should boot straight through.

Optional:

  • edit /etc/initramfs-tools/conf.d/dropbear, edit PKGOPTION_dropbear_OPTION="-s -p 22", -s disallows password logins, -p set the ssh port.
  • the ip-address wil be set by dhcp, if you don't have your router configured to hand out semi-fixed ip's by mac or you have multiple network interfaces or just want to set a fixed ip you should probably edit /etc/initramfs-tools/conf.d/dropbear and change the IP value:
  # See http://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt.
  #IP=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
  #IP=10.10.1.199::10.10.1.1:255.255.255.0::eth0:off
  #IP=192.168.1.99::192.168.1.1:255.255.255.0::wlan0:off
  #IP=192.168.1.99::192.168.1.1:255.255.255.0::wlan0:dhcp
  #IP=:::::wlan0:dhcp
  #IP=dhcp
  • sudo update-initramfs -u -k $(uname -r) to apply the changes.