LXD security luks dropbear

From UVOO Tech Wiki
Jump to navigation Jump to search

Setting up Dropbear for Initramfs is the gold standard for "headless" secure servers. It allows you to SSH into your server before the main operating system even starts, just to type the LUKS passphrase.

This gives you the security of a manual passphrase with the convenience of not needing a physical keyboard and monitor attached to the server.

1. Install the Dropbear Initramfs Tool

Ubuntu has a specific package that integrates the lightweight Dropbear SSH server into the boot process. 

sudo apt update
sudo apt install dropbear-initramfs -y

2. Configure Your SSH Key

For security, you should use an SSH Key rather than a password to log in during this pre-boot phase.

  1. Copy your public key (usually found at ~/.ssh/id_ed25519.pub on your local machine).
  2. Add it to the authorized keys for boot: bash sudo nano /etc/dropbear/initramfs/authorized_keys Paste your public key there and save.

3. Set the Network Config (Optional but Recommended)

If your server doesn't get an IP automatically via DHCP during boot, you can hardcode one in the GRUB config, but usually, the default is fine if your router is active.

To change the port (to avoid conflicts with your main SSH later), edit the config: 

sudo nano /etc/dropbear/initramfs/config

Change to: DROPBEAR_OPTIONS="-p 2222" (This puts the "Unlock SSH" on port 2222).

4. Update and Reboot

Tell the system to rebuild the boot image with Dropbear inside it. 

sudo update-initramfs -u
sudo reboot

5. How to Unlock Remotely

Once the server starts booting, it will "hang" at the encryption prompt. From your local laptop, run: 

ssh -p 2222 root@your-server-ip

Note: It will always be root, even if that's not your main user.

Once you are logged in, you will see a minimal prompt. Run the unlock command: 

cryptroot-unlock

Type your passphrase. Once accepted, the SSH session will close automatically, the drive will mount, and Ubuntu will finish booting into the main OS (and start your LXD containers).

Summary of your "Private Cloud" Security

You now have a setup that mirrors high-end cloud security: 1. LXD Isolation: Your apps are siloed in containers or VMs. 2. Full Disk Encryption: Data is encrypted at rest (LUKS). 3. Encrypted Storage Pool: Your LXD data lives on a ZFS-over-LUKS layer. 4. Remote Secure Unlock: You can manage reboots from anywhere without leaving keys "in the lock" (the keyfile).

small bash script that checks the status of your LXD encrypted pool and alerts you if it fails to mount after an unlock

Goal,Config Setting Specify a Key,IdentityFile ~/.ssh/key_name Use a Nickname,Host nickname Set User,User username Force Port,Port 2222 (if you changed it for security)

Retrieved from "https://tech.uvoo.io/index.php?title=LXD_security_luks_dropbear&oldid=5664"