Automate LUKS Decryption with SSH Keyfile

TL;DR

This guide shows you how to automatically fetch a LUKS keyfile over SSH and decrypt a partition on boot. This is useful for remote servers or systems where the keyfile isn’t stored locally.

Prerequisites

• A Linux system using LUKS encryption.
• SSH access to a server/system containing the keyfile.
• The SSH user has read permissions on the keyfile.
• Basic familiarity with editing configuration files (using nano, vim etc.).

Steps

1. Identify your LUKS partition

Use lsblk -f to find the UUID of the encrypted partition you want to unlock. Note this down – you’ll need it later.

lsblk -f

2. Create a script to fetch the keyfile

This script will SSH into the remote server, retrieve the keyfile, and save it locally. Create a new file (e.g., /root/get_keyfile.sh) with the following content. Replace user@remote_server and /path/to/keyfile with your actual details.

#!/bin/bash
ssh user@remote_server "cat /path/to/keyfile" > /root/luks_keyfile.key
chmod 600 /root/luks_keyfile.key

Make the script executable:

chmod +x /root/get_keyfile.sh

3. Configure systemd to run the script on boot

Create a new systemd service file (e.g., /etc/systemd/system/get-luks-keyfile.service) with the following content:

[Unit]
Description=Fetch LUKS keyfile over SSH
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/root/get_keyfile.sh
RemainAfterExit=yes
User=root

[Install]
WantedBy=multi-user.target

Enable and start the service:

systemctl enable get-luks-keyfile.service
systemctl start get-luks-keyfile.service

4. Modify /etc/crypttab

Edit /etc/crypttab and add a line for your encrypted partition. Replace partition_uuid with the UUID you found in step 1, and keyfile_name with the name of the keyfile (e.g., luks_keyfile.key).

partition_uuid /root/keyfile_name none luks

5. Update initramfs

This step is crucial to ensure the keyfile is available during boot. Run the following command:

update-initramfs -u -k all

6. Reboot and test

Reboot your system. The partition should automatically decrypt during boot.

7. Troubleshooting

• Check the systemd service status: systemctl status get-luks-keyfile.service
• Verify that the keyfile exists in /root/ with correct permissions (600).
• Examine system logs for SSH errors or other issues using journalctl -xe.