Fedora encrypted disk unlocking via SSH

Introduction⌗

Since my keyboard and mouse are paired to my computer via Bluetooth and I always encrypt my hard drives with LUKS2, I ran into a chicken egg problem. At this early boot stage, the entire Bluetooth stack is not yet responsive. As a result, I can’t enter my password. The simplest solution is a wired keyboard, but then I would have multiple keyboards on the table and thus less space. Fortunately there is gsauthof/dracut-sshd an implementation to provide SSH access to initramfs early user space. As soon as you have identified yourself with your SSH key on the computer, you get the possibility to unlock the system. After successfully entering the password, the SSH session is closed and the boot process continues on the decrypted hard drive.

The documentation of this Dracut module is very well structured and easy to understand. Therefore I recommend everyone to have a look into the project repository. Since I have gone through the setup process a bit more often under Fedora, I still thought it would be useful to make a short write-up.

This guide was created on a Fedora 37 system.

Installation⌗

In the first step, we activate the Copr repository that belongs to the Dracut module and install the package. It may be that a dependency called dracut-network is installed too. This is module is necessary to establish a network connection in the early boot phase.

dnf copr enable gsauthof/dracut-sshd
dnf install dracut-sshd

In the next step we add two parameters to the kernel options in /etc/default/grub:

1. rd.neednet=1 to make the network stack available
2. ip=dhcp so that the first network interface can get an IP from the DHCP (WARNING: footgun)

If the system has multiple active network ports, the IP configuration is handled on a first come, first served basis. In the worst case, it is then not possible to reach the machine via the actually desired network and to unlock it accordingly. This can be prevented by specifying the desired network interface and possibly even the entire IP configuration in the parameter.

For example a static IP configuration:

ip=192.168.180.120::192.168.180.1:255.255.255.0::enp1s0:off

Or a dynamic one with specified interface:

ip=enp1s0:dhcp

More informations about ip networking in early user space:

• Kernel Documentation
• Configuring IP Networking from the Kernel Command line

The modification in /etc/default/grub should look something like this:

GRUB_CMDLINE_LINUX="resume=/dev/mapper/server-swap rd.luks.uuid=luks-**** rd.lvm.lv=server/root rd.md.uuid=**** rd.lvm.lv=server/swap rhgb quiet rd.neednet=1 ip=dhcp"

In the next step, we need to activate the new boot configuration. To do this, we execute the following commands:

grub2-mkconfig -o /etc/grub2.cfg
grub2-mkconfig -o /etc/grub2-efi.cfg

For successful authentication to the SSH server, we need to make sure that an authorized key is configured for the root user:

mkdir -p /root/.ssh
chmod 700 /root/.ssh
cat id_rsa.pub >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

On recent Fedora installations root accounts are locked with ! instead of * in /etc/shadow by default. According to the documentation of the module it is sufficient to specify an asterisk instead of an exclamation mark.

This is unfortunately wrong and another footgun!

Instead, a password must be created for the root user. Don’t worry, in the default OpenSSH server configuration the password login for the superuser is forbidden. So the system will not become more insecure.

passwd
Changing password for user root.
New password: *******

Finally we can now update the initramfs configuration with Dracut:

dracut -f -v

The following modules should now appear in the output of the command:

dracut: *** Including module: network ***
dracut: *** Including module: sshd ***

After restarting the system, the decryption prompt appears as usual. Additionally, we can now connect to the machine via SSH to enter the password.

~ $ ssh root@fedora.zaage.it
Welcome to the early boot SSH environment. You may type

    systemd-tty-ask-password-agent

(or press "arrow up") to unlock your disks.

This shell will terminate automatically a few seconds after the
unlocking process has succeeded and when the boot proceeds.

initramfs-ssh:/root# systemd-tty-ask-password-agent
🔐 Please enter passphrase for disk Samsung SSD 980 500GB (luks-****): **************
initramfs-ssh:/root# Connection to fedora.zaage.it closed by remote host.
Connection to fedora.zaage.it closed.

Hint⌗

I recommend everyone to fully encrypt dedicated servers. With dracut-sshd unlocking is now much easier and does not need BMC or remote KVM. On my Hetzner server I was able to configure this module without a KVM using chroot and a rescue image.

If you prefer a completely passwordless but network-bound solution, you may like to read on here:

Network-bound disk encryption