Dropbear to remote unlock encrypted root

Hello

I would like to be able to unlock my desktop with the keyboard and remotely with dropbear.
Both /root and /home are encrypted with luks.
So far I installed dropbear, mkinitcpio-dropbear, mkinitcpio-busybox, mkinitcpio-netconf, mkinitcpio-nfs-utils, mkinitcipio-openswap and mkinitcpio-utils. Acording to the tutorials I found I tried to configure dropbear to start rigth at satartup and made it listen to port 222. As far as I can tell dropbear only starts after I typed the first password (which obviously is to late). And now I’m stuck.

Can someone help me out? (I do deliver the necessary informations, but I’m unsure what is necessary.)
Are there somewhere up to date instructions, that actually work?

Kind regards
klinge

And you will be stuck at that point - although it could be interesting what tutorials you used.

Why will you be stuck?
Because your dropbear will need the system to run it - which will only start and run after it is booted - which will never happen without you somehow unlocking the encrypted root at least.

IMO

… it would be a different matter if the system is already up and running
but just the desktop is “locked” somehow

1 Like

At least a separate unencrypted boot partition with unencrypted kernel/initrd will be needed. Maybe it is easier to just leave the whole root unencrypted.

2 Likes

This one works.
dm-crypt/Specialties - ArchWiki

You just need to decide if you want a systemd based initramfs or a Busybox based initramfs. Of course you can’t use a system that also encrypts the initramfs images. It either needs to be on a unencrypted boot partition or the image needs to be on your ESP.

If you need Wifi it is way more complex, so first do it only over Ethernet.

If you enabled and started any dropbear service you did it wrong. Stop and start over. Also be prepared to manual open and chroot in your install from a live system, it might be necessary if you messed something up.

2 Likes

Hy xybbu

Thanks, that was one of the pages I used (but I started off with an other one). /boot is unencrypted and I believe the initramfs images are on /boot. Anyway I’m not sure if I got it correctly:

  1. Install:
    mkinitcpio-netconf
    mkinitcpio-dropbear
    mkinitcpio-utils

  2. Key:
    copy the public ssh key to /etc/dropbear/root_key

  3. Initramfs hooks:
    Add netconf dropbear encryptssh hooks before filesystems to /etc/mkinitcpio.conf

  4. Boot loader:
    Here I’n not sure the boot loader is /etc/default/grub correct?
    If I assign the ip with the router then I can just add ip=dhcp correct?
    And the correct line is GRUB_CMDLINE_LINUX_DEFAULT= correct?

What about the port dropbear is listening to, which one is it and can I change it somewhere?
Is that it?

This is good but not the only requirement. On a default Manjaro install, the Root partition will be opened by grub. It is important that the unlock happens later. The notable difference is that you will have multiple tries to put the correct password in. With grub you need to hard reset your system if you try the wrong password.

Make sure to replace encrypt with encryptssh. If you don’t have the encrypt hook, it can’t work.

If you use grub, the correct config file would be /etc/default/grub

Yes.

The user name is root and the port is 22. It can’t be changed with a config file.

However, if it works, you can create your own mkinitcpio-dropbear package with a customized dropbear command. (Or edit the dropbear_hook file and change it, keep in mind that it will be reverted if the package gets updated.)

If you use a busybox initramfs, and an old LUKS1 container. The problem with
mkinitcpio-utils is, that the package is extremely old. For example see:
Lacking support for LUKS2 devices with dm-integrity · Issue #19 · grazzolini/mkinitcpio-utils · GitHub
Nowadays a systemd based initramfs is more modern. However, if you don’t use it at the moment, you need also change your LUKS setup.

Thanks for your help. I did not find the time to fiddle with the machine, but two things are still unclear to me:

I have a new manual installation of manjaro. The only customisation is a separate partition for /home. I have 3 tries to get the password correct. And as far as I can tell I type the password after grub (there is a manjaro logo visible and the grub menu i already passed). So I guess that is fine.

I think I have LUKS 1 (I thought manjaro is up to date?) If I understood your link correctly that is good, is it?

whatever that might mean …

that is strange - for a default encrypted installation