Unattended/headless Ubuntu server with disk encryption - how to set it up?

Question

I'm a long-time Linux user, but I'm not well-versed with the newer developments, esp. wrt Ubuntu and system(d) administration.

I have a very old PC that I want to use for a file server, Mercurial repo, FTP and WWW server, and a few other small company-internal webapps I made with Django. Previously this all ran on an ancient Fedora, on an unencrypted disk, and all was launched from /etc/rc.local.

I've put a new HDD, and got Ubuntu 18.04 LTS on it. I'm now onto restoring the services, but I want to improve as well.

First, I want the valuable data (Django database, files in the file server, ...) to be on an encrypted partition. However my experience with disk encryption is that something asks you for the passphrase during bootup. I want to avoid that, since the server won't have a monitor or a keyboard attached. Second, I want to administer the services in a bit more official ("Ubuntian") way.

Current idea

have the services' data on an encrypted partition, that is not listed in /etc/fstab.
upon restart, the server will only have sshd, but the services won't be started and partition not mounted.
I'd ssh to the machine, and run a script, that mounts the partition (asking me for the passphrase), and launches the services.

The machine is on an UPS, I expect to run the above procedure rarely (few times a year).

Question

Is the current idea any good? Better ways to do it?

If it's good, how to implement it? I can certainly go the "total DIY way" and write a huge script with the luks commands, iptables commands to open the ports, and invoke the services' daemons directly, but I want to learn something new here and do it the proper Ubuntu way™ :)

Any pointers or code/script examples are kindly appreciated!

Simon Sudler · Answer 1 · 2024-06-27T07:00:33.253

Remote unlocking of encrypted partition

There is a easy and more or less standard way to unlock encrypted partitions on start-up, without modification of the root-partition. It requires dropbear, busybox and dropbear-initramfs.

$ sudo apt install dropbear busybox dropbear-initramfs

Add busybox to initramfs

To enable busybox in the initial RAM disk, set BUSYBOX=y in /etc/initramfs-tools/initramfs.conf. The dropbear SSH host keys are stored in the /etc/dropbear-initramfs or /etc/dropbear/initramfsfolder (since Ubuntu 22.04).

Add public keys to authorized_keys of dropbear

There is no user management in the initial RAM disk, so only the root-user with a public key in the /etc/dropbear-initramfs/authorized_keys can login via ssh. You can add any public or simply copy the one of your user:

$ sudo cp ~/.ssh/authorized_keys /etc/dropbear/initramfs/authorized_keys

Warning: Some older dropbear versions do not support ed25519 keys.

Update initramfs with dropbear keys

After that, initial RAM disk needs to be updated:

$ sudo update-initramfs -u

That's it, now reboot the system and wait for the cryptsetup dialog.

Unlocking the system remotely

After the reboot, the system will wait for the unlocking of the encrypted device. Login via ssh with the root user and the corresponding private key.

# From a remote system
$ ssh -i ~/.ssh/my_private.id_rsa root@my.system.waiting.for.a.password.com
Enter passphrase for key '~/.ssh/my_private.id_rsa':
BusyBox v1.30.1 (Ubuntu 1:1.30.1-4ubuntu6.1) built-in shell (ash)
Enter 'help' for a list of built-in commands.

cryptroot-unlock
Please unlock disk ubuntu-root:
cryptsetup: ubuntu-root set up successfully
Connection to my.system.waiting.for.a.password.com closed by remote host.
Connection to my.system.waiting.for.a.password.com closed.

And the system will start with unlocked root device.

Update for Ubuntu 22.04

Brough up by Sjors Provoost - This approach stop working in Ubuntu 22.04. The reason behind is the change in the package dependencies of dropbear-initramfs. In 20.04 this packages was a recommend, in 22.04 it is a suggest. As a result, the packages will not be installed without explicit selection. In addition to that, the position of the dropbear keys changed from /etc/dropbear-initramfs to /etc/dropbear/initramfs --> Update included in answer.

score 1 · Answer 2 · answered Jan 30 '25 at 20:48

Update for Ubuntu 24.10

Some files have moved around on newer versions of Ubuntu, and you don't need all the dependencies listed in the excellent answer from Simon.

Dropbear-initramfs install

sudo apt update
sudo apt install dropbear-initramfs

Setup public key

sudo pico /etc/dropbear/initramfs/authorized_keys

Insert your public key.

Config dropbear-initramfs

sudo pico /etc/dropbear/initramfs/dropbear.conf

Set Dropbear Options:

DROPBEAR_OPTIONS="-I 300 -j -k -p 2222 -s -c cryptroot-unlock"

Update grub etc

sudo update-initramfs -u
sudo update-grub

Now reboot

sudo reboot

Local config

You can add this to ~/.ssh/config locally:

Host myhost-crypt
    HostName 192.168.0.100
    User root
    Port 2222

(Change hostname and IP accordingly)

Now just ssh myhost-crypt and it should ask you for your decrypt password and close the connection immediately.