Configuring network with dropbear-initramfs

The dropbear-initramfs package in Debian is intended to help unlocking encrypted partitions remotely from initramfs. In other words, it can be used to unlock an encrypted block device that may well include the root partition.

Officially only a single IPv4 address may be set up in a convenient way. This weblog post shows how to get around that limitation, without too much hassle.

The only package needed is dropbear-initramfs. Install it:

# apt-get install dropbear-initramfs

The network device is located in specified on the DEVICE environment variable in /etc/initramfs-tools/initramfs.conf. We specify a device that will not exist:

DEVICE=nosuchnetdev

The network configuration would be specified in the IP variable but we omit this as we don’t intend to use the default scripts for setting up the network configuration.  Instead, we add a few extra bits to /etc/dropbear-initramfs/config. The dropbear configuration file is actually sourced by the shell so executing commands is entirely possible.

# This line is important --- it fools the initramfs
# scripts to believe the device is already set up.
touch /run/net-nosuchnetdev.conf

# modprobe the driver for your network adapter.
# Change this to correspond to your system.
modprobe e1000e

__getdev2() {
        echo ${2%:}
}

__getdev() {
        __getdev2 $(ip link list | grep -B 1 $1 | head -1)
}

# MAC addresses of the devices; replace with your own
eth0=$(__getdev 00:11:22:33:44:55)

# Set up network here as you like. The configuration will be
# overridden with what you have set up in /etc/network/interfaces
# once the boot continues.
ip addr add 192.168.1.1/24 dev $eth0
ip addr add 2001:db8::1/32 dev $eth0
ip link set up dev $eth0

Now, update initramfs and you should be ready to log in remotely to initramfs on your next boot.

Edit 2018-09-25:

Remember to put your own public key to /etc/dropbear-initramfs/authorized_keys so you’ll be actually able to log in. Also see the documentation in /usr/share/doc/dropbear-initramfs/README.initramfs .

Edit 2018-09-20:

The initramfs image can be updated with the following command:

# update-initramfs -u

Edit 2018-09-25:

After rebooting you can log in remotely as root via ssh. Run

# cryptroot-unlock

After providing the passphrase your system should boot up as expected.

 

Leave a comment