Setup Dropbear to unlock Debian on the Libre Computer "Renegade" over your Local Network

ISSUED: 2023-11-18
EDITED: 2024-08-12

📢 this gemlog is part of series use the link below to go the main menu!

=> Make a StealthBox with Devuan and Libre Computer Renegade

Intro

In a previous gemlog I illustrated how to installed Debian over an encrypted file-system, perhaps you want to connect to this board remotely and therefore you need to unlock it from your terminal otherwise you need at least a keyboard plugged into, and this is not very handy.

=> Install Debian on Libre Computer "Renegade" with encrypted filesystem

Webography

As usual the most relevant sources that helped me out:

=> Ask Ubuntu: Set up eth0 network interface using DHCP in initramfs [1] | nixCraft: How to unlock LUKS using Dropbear SSH keys remotely in Linux [2] | Daniel Wayne Armstrong: Remotely unlock a LUKS-encrypted Linux server using Dropbear [3] | The Debian Administrator's Handbook: 8.2. Configuring the Network [4] | Paolo Brocco Works: Ubuntu guide: Dropbear SSH server to unlock LUKS encrypted PC [5]

Preparation: revert to legacy network interface names

The "Predictable Network Interfaces Names" introduced by systemd (🤦) perhaps is very useful when you have to handle a server rack with dozen of NICs; but with a board with just one ethernet port it is just dumb, better reverting the kernel to the legacy scheme adding the following options to grub:

• net.ifnames=0 (restores the default kernel behavior — cit.[4])
• biosdevname=0 (kernel parameters to achieve that — cit.[4])

As ROOT user:

micro /etc/default/grub

## GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"

update-grub

Now modify the file: /etc/network/interfaces

auto lo
iface lo inet loopback

# eth0
auto
allow-hotplug end0
iface end0 inet dhcp

Reboot the board!

Drop the bear! 🐻

Dropbear it is a small SSH server that supports only RSA algorythm.

=> Official Dropbear SSH Homepage

As a local SSH server for an under-powered SBC is a preferable alternative to OPENSSH, even though you don't need to unlock anything.

Since it is very small it can be embedded inside the INITRAFMS image and therefore invoked before to boot the board.

=> Learn more about INITRAMFS from the Ubuntu wiki

Installing the necessary packages

You need, besided cryptsetup and cryptsetup-intiramfs the following packages:

apt install -y dropbear dropbear-initramfs

💡 After the installation it will generates some keys and update the INITRAMFS complaining; you can ignore it!

Loading the public key into Dropbear

Unfortunately unlocking from the boot stage requires the use of the RSA key even though your network is your local one and you are the only one who is going to unlock it…

A. First you need to create a pair of key on another computer:

💡 Your are on the computer you want to use to SSH into the ROC-RK3328-CC

• nix systems:

ssh-keygen -t rsa -f .ssh/unlock_luks

❔ I reused the same key name from [3]

Windows systems:

ssh-keygen -t rsa -f .\.ssh\unlock_luks

💡 I intentionally left the passphrase blank

B. Then you to copy the public key into the board:

• nix systems:

scp .ssh/unlock_luks.pub root@[your-assigned-ip]:~/

Windows systems:

scp.exe .\.ssh\unlock_luks root@[your-assigned-ip]:~/

C. SSH into the server:

ssh root@[your-assigned-ip]

D. Check for the key and copy to: /etc/dropbear/initramfs/authorized_keys

ls (was the key there?) 

cat unlock_luks.pub >> /etc/dropbear/initramfs/authorized_keys

Modify: /etc/dropbear/initramfs/dropbear.conf

micro /etc/dropbear/initramfs/dropbear.conf

DROPBEAR_OPTIONS="-p 222 -c cryptroot-unlock"

Explanation:

• -P 222 — it will put Dropbear on listening on that port

⚠️ It is important to specify a different port from the one you're going to use; since I didn't change anything I am going to use the standard 22 port.

• -c cryptroot-unlock — it will launch that command so you only need to type the passphrase

Initramfs various configurations

Modify the file: /etc/initramfs-tools/initramfs.conf

and change the this line:

BUSYBOX=auto ==> BUSYBOX=y

Create a new file:

micro /etc/initramfs-tools/conf.d/IP

With the following content:

DEVICE=eth0
IP=::::::dhcp

⚠️ Loading a WiFi driver for a USB dongle is way beyond my knowledge; if you know how to do that, please let me know! 🙏

Update the INITRAMFS image and reboot

update-initramfs -u

reboot

🤞 The crossed fingers moment!

Now it is time to cross the fingers and preparing for pebcak…

• nix:
• ssh -i .ssh/unlock_luks -o "HostKeyAlgorithms ssh-rsa" -p 222 root@[your-assigned-ip] -v

Windows

• ssh -i ..ssh\unlock_luks -o "HostKeyAlgorithms ssh-rsa" -p 222 root@[your-assigned-ip] -v

If you see the prompt you it means you have been spared by pebcak this time…

Wrapping this up

Unlock you board locally doesn't really make sense for any purpose but one… Which is going to be unveiled at the end of this series (if you missed my diary… 🙄)

To unlock a system remotely it may have more sense using a static IP, but this gemlog is regarding the Libre Computer "Renegade" SBC thus anything beyond that board is outside my goal. 🤷

Please should you find any typos or other mistakes do not hesitate to contact me by email! 🙏

────────────

For comments or suggestions write me at:

=> freezr AT disroot DOT org

=> ↩ go back