Automate LUKS Decryption with SSH Keyfile

TL;DR

This guide shows you how to automatically fetch a LUKS keyfile over SSH and decrypt a partition on boot. This is useful for remote servers or systems where the keyfile isn’t stored locally.

Prerequisites

A Linux system using LUKS encryption.
SSH access to a server/system containing the keyfile.
The SSH user has read permissions on the keyfile.
Basic familiarity with editing configuration files (using nano, vim etc.).

Steps

Identify your LUKS partition

Use lsblk -f to find the UUID of the encrypted partition you want to unlock. Note this down – you’ll need it later.

lsblk -f

Create a script to fetch the keyfile

This script will SSH into the remote server, retrieve the keyfile, and save it locally. Create a new file (e.g., /root/get_keyfile.sh) with the following content. Replace user@remote_server and /path/to/keyfile with your actual details.

#!/bin/bash
ssh user@remote_server "cat /path/to/keyfile" > /root/luks_keyfile.key
chmod 600 /root/luks_keyfile.key

Make the script executable:

chmod +x /root/get_keyfile.sh

Configure systemd to run the script on boot

Create a new systemd service file (e.g., /etc/systemd/system/get-luks-keyfile.service) with the following content:

[Unit]
Description=Fetch LUKS keyfile over SSH
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/root/get_keyfile.sh
RemainAfterExit=yes
User=root

[Install]
WantedBy=multi-user.target

Enable and start the service:

systemctl enable get-luks-keyfile.service
systemctl start get-luks-keyfile.service

Modify /etc/crypttab

Edit /etc/crypttab and add a line for your encrypted partition. Replace partition_uuid with the UUID you found in step 1, and keyfile_name with the name of the keyfile (e.g., luks_keyfile.key).

partition_uuid /root/keyfile_name none luks

Update initramfs

This step is crucial to ensure the keyfile is available during boot. Run the following command:

update-initramfs -u -k all

Reboot and test

Reboot your system. The partition should automatically decrypt during boot.

Troubleshooting

Check the systemd service status: systemctl status get-luks-keyfile.service
Verify that the keyfile exists in /root/ with correct permissions (600).
Examine system logs for SSH errors or other issues using journalctl -xe.

TL;DR

Prerequisites

Steps

Something Fresh

Zip Codes & PII: Are They Personal Data?

ZeroNet: 51% Attack Risks & Mitigation

Zero Knowledge Voting with Trusted Server

What People Reading

Feedback and data-driven updates to Googles disclosure policy

Zero-Day Vulnerabilities: User Defence Guide

YubiKey Security: Initial Setup with Yubi Cloud

Security Insider Interview Series: John McArthur, Senior Product Manager, IP Intelligence; and Rupert Young, Senior Director Software Engineering, Data Compilation and Identity, Neustar

Certificate Security in the Wild West

Categories

Partners

Just add here your partners image or promo text

Automate LUKS Decryption with SSH Keyfile

TL;DR

Prerequisites

Steps

Related posts

Something Fresh

What People Reading

Categories

Partners

Just add here your partners image or promo text