chadoe / luks-triple-unlock Goto Github PK

I have multiple encrypted volumes that i would like to decrypt using dropbear. However, the connection dies after the first entry in /etc/crypttab is decrypted.

I cant use a keyfile as my setup requires that both drives be decrypted before the root and home file systems are mounted.

How would i run a dropbear session for each crypttab entry?

Cannot connect to dropbear using SSH key pair
Looks like there is an issue with SSH authorized_keys while generating initramfs image

update-initramfs: Generating /boot/initrd.img-4.4.0-62-generic
dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via ssh won't work!

Update:
The location of authorized_keys has changed and is now in /etc/dropbear-initramfs/. After moving it there and changing permissions to 600 it works like a charm

I just copy the .keyfile to my usb storage ,
and reboot the system , it shows that load the key from usb storage succesful.
but also it loop print something like "IP-Config xxxxx mtu 1500 DHCP ..."

can I just disable input the password from the console only use the function about load the key from usb ?

Recently I have combined this script with a script to use a key written in the sector between MBR and the first partition and I have adapted these scripts to generate an automated install script to fit my personal needs. Because maybe someone will find this helpful i would like to publish this scipt.
Unfortunately I was not able to find a License file for this script or another way to contact you, so I wanted to ask you for your allowance to publish my script, in which you and your script will be explicitly mentioned.

Thanks in advance!

I would like to use your luks-triple-unlock script with Ubuntu 14.04 LTS Desktop. I already did a clonezilla backup, but since you didnt test it with the Desktop version, I want to ask if there is reason to think that it might not be compatible?

Your script works great. But FYI, if you're working with a network without DHCP, you have to specific a static in during the initramfs otherwise you're going to get locked out.

Need to add a line "IP=" with your settings into /etc/initramfs-tools/initramfs.conf

See https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/ for reference.

I'm trying to unlock a freshly installed debian server from ssh with looks-triple-unlock scripts installed.
But where to copy: /etc/initramfs-tools/root/.ssh/id_rsa ?
Thanks.

Greetings!

Thank you for this great collection which made setting up alternate ways to unlock my server a breeze. The only problem I've run into is that I have two partitions to unlock but lack the expertise to configure this setup to unlock both using USB keyfiles. Could you point me in the right direction? I see that http://wejn.org/how-to-make-passwordless-cryptsetup.html references "multiple devices" but I'm not quite sure I understand it.

Thanks!

The install.sh appends the needed modules to the /etc/initramfs-tools/modules file, even when the modules are already present. I found out because I ran dash instead of bash and ended up with an "-e vfat" line in the modules file (dash doesn't understand the -e option). A subsequent install.sh just appended the needed modules once again, resulting in duplicate entries. Also, the /etc/crypttab file ends up with multiple keyscript= entries. Otherwise, excellent scripts.

Got it working for Debian 9 Stretch. However, had to make the following changes.
Needed some extra delay for slow computers to find the USB key file.
Needed nls_ascii module for newer kernels in order to read the USB key file.
No need to install dropbear package but only dropbear-initramfs package.
Fixed the path of the id_rsa.pub file.
Unlock: ssh -i id_rsa -o HostKeyAlgorithms=ssh-rsa [email protected]
After typing the passphrase the computer unlocks but the remote computer does no longer respond.

• Change the "MAX_SECONDS=2" line into "MAX_SECONDS=5" in the crypto-usb-key.sh file.

• Add the following line to the install.sh file.
  grep -q '^nls_ascii$' /etc/initramfs-tools/modules || echo 'nls_ascii' >> /etc/initramfs-tools/modules

• Change the following lines in the install.sh file.
  apt-get install -y dropbear initramfs-tools busybox
  apt-get install -y dropbear-initramfs initramfs-tools busybox

  cat /etc/dropbear-initramfs/id_rsa/id_rsa.pub >>/etc/dropbear-initramfs/authorized_keys
  cat /etc/dropbear-initramfs/id_rsa.pub >>/etc/dropbear-initramfs/authorized_keys

I didn't see a license identified here, is this MIT licensed like some of your other projects?

Thanks!

Did you test with SSH? It seems that dropbear is not started and configured. The script should append something like (see below) to the /etc/initramfs-tools/initramfs.conf file.

DROPBEAR=y
# See http://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt.
#IP=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
IP=10.10.1.199::10.10.1.1:255.255.255.0::eth0:off

DROPBEAR=y
# See http://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt.
#IP=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>
#IP=192.168.1.99::192.168.1.1:255.255.255.0::wlan0:off
#IP=192.168.1.99::192.168.1.1:255.255.255.0::wlan0:dhcp
IP=:::::wlan0:dhcp

I managed to get dropbox and wireless working in initramfs and being able to unlock the OS through my wireless router (not very secure though, I guess).