chadoe / luks-triple-unlock Goto Github PK
View Code? Open in Web Editor NEWSet of shell scripts to allow unlocking of full disk encrypted Ubuntu and Debian installs through console, USB-key or SSH.
Set of shell scripts to allow unlocking of full disk encrypted Ubuntu and Debian installs through console, USB-key or SSH.
I have multiple encrypted volumes that i would like to decrypt using dropbear. However, the connection dies after the first entry in /etc/crypttab is decrypted.
I cant use a keyfile as my setup requires that both drives be decrypted before the root and home file systems are mounted.
How would i run a dropbear session for each crypttab entry?
Cannot connect to dropbear using SSH key pair
Looks like there is an issue with SSH authorized_keys while generating initramfs image
update-initramfs: Generating /boot/initrd.img-4.4.0-62-generic
dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via ssh won't work!
Update:
The location of authorized_keys
has changed and is now in /etc/dropbear-initramfs/
. After moving it there and changing permissions to 600 it works like a charm
I just copy the .keyfile to my usb storage ,
and reboot the system , it shows that load the key from usb storage succesful.
but also it loop print something like "IP-Config xxxxx mtu 1500 DHCP ..."
can I just disable input the password from the console only use the function about load the key from usb ?
Recently I have combined this script with a script to use a key written in the sector between MBR and the first partition and I have adapted these scripts to generate an automated install script to fit my personal needs. Because maybe someone will find this helpful i would like to publish this scipt.
Unfortunately I was not able to find a License file for this script or another way to contact you, so I wanted to ask you for your allowance to publish my script, in which you and your script will be explicitly mentioned.
Thanks in advance!
I would like to use your luks-triple-unlock script with Ubuntu 14.04 LTS Desktop. I already did a clonezilla backup, but since you didnt test it with the Desktop version, I want to ask if there is reason to think that it might not be compatible?
Your script works great. But FYI, if you're working with a network without DHCP, you have to specific a static in during the initramfs otherwise you're going to get locked out.
Need to add a line "IP=" with your settings into /etc/initramfs-tools/initramfs.conf
See https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/ for reference.
I'm trying to unlock a freshly installed debian server from ssh with looks-triple-unlock scripts installed.
But where to copy: /etc/initramfs-tools/root/.ssh/id_rsa ?
Thanks.
Greetings!
Thank you for this great collection which made setting up alternate ways to unlock my server a breeze. The only problem I've run into is that I have two partitions to unlock but lack the expertise to configure this setup to unlock both using USB keyfiles. Could you point me in the right direction? I see that http://wejn.org/how-to-make-passwordless-cryptsetup.html references "multiple devices" but I'm not quite sure I understand it.
Thanks!
The install.sh appends the needed modules to the /etc/initramfs-tools/modules file, even when the modules are already present. I found out because I ran dash instead of bash and ended up with an "-e vfat" line in the modules file (dash doesn't understand the -e option). A subsequent install.sh just appended the needed modules once again, resulting in duplicate entries. Also, the /etc/crypttab file ends up with multiple keyscript= entries. Otherwise, excellent scripts.
Got it working for Debian 9 Stretch. However, had to make the following changes.
Needed some extra delay for slow computers to find the USB key file.
Needed nls_ascii module for newer kernels in order to read the USB key file.
No need to install dropbear package but only dropbear-initramfs package.
Fixed the path of the id_rsa.pub file.
Unlock: ssh -i id_rsa -o HostKeyAlgorithms=ssh-rsa [email protected]
After typing the passphrase the computer unlocks but the remote computer does no longer respond.
Change the "MAX_SECONDS=2" line into "MAX_SECONDS=5" in the crypto-usb-key.sh file.
Add the following line to the install.sh file.
grep -q '^nls_ascii$' /etc/initramfs-tools/modules || echo 'nls_ascii' >> /etc/initramfs-tools/modules
Change the following lines in the install.sh file.
apt-get install -y dropbear initramfs-tools busybox
apt-get install -y dropbear-initramfs initramfs-tools busybox
cat /etc/dropbear-initramfs/id_rsa/id_rsa.pub >>/etc/dropbear-initramfs/authorized_keys
cat /etc/dropbear-initramfs/id_rsa.pub >>/etc/dropbear-initramfs/authorized_keys
I didn't see a license identified here, is this MIT licensed like some of your other projects?
Thanks!
Did you test with SSH? It seems that dropbear is not started and configured. The script should append something like (see below) to the /etc/initramfs-tools/initramfs.conf file.
DROPBEAR=y
# See http://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt.
#IP=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
IP=10.10.1.199::10.10.1.1:255.255.255.0::eth0:off
DROPBEAR=y
# See http://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt.
#IP=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
#IP=192.168.1.99::192.168.1.1:255.255.255.0::wlan0:off
#IP=192.168.1.99::192.168.1.1:255.255.255.0::wlan0:dhcp
IP=:::::wlan0:dhcp
I managed to get dropbox and wireless working in initramfs and being able to unlock the OS through my wireless router (not very secure though, I guess).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.