Headless server and disk encryption

As an enthusiast of encryption, it always felt a little strange that my servers kept all of their data in the clear. But the problem with encrypting a headless server is that, inevitably, you have to reboot it. So how do you connect to your server and unlock the drive before it boots? It's quite the catch-22.

Enter dropbear, a very small SSH server. This server is so tiny, it can be embedded in your initramfs and run at boot. You can connect to your server, unlock your boot drive, and allow the boot process to proceed. Fantastic!

Here's a short summary of how to do things in Debian 10 (Buster). These commands need to be run as root:

• Install the dropbear-initramfs package (should install busybox-static)
• Copy your SSH public key into /etc/dropbear-initramfs/authorized_keys
• Run update-initramfs -u & reboot
• Connect to the dropbear server by running ssh root@yourserver.com
• Run cryptroot-unlock to unlock your boot drive

This is just the beginning of my setup. Eventually, I would like another machine to automatically unlock my servers for me - but that will be several more steps that are not in place yet. For now, this is a fairly straight forward technique for allowing you to encrypt headless, remote servers without worrying about reboots!

Tags: linux server security

Comments

Add Your Comment