Decrypt Drive with SFTP Credentials on Ubuntu

TL;DR

This guide shows you how to automatically decrypt an encrypted drive or folder on an Ubuntu Linux server using your existing SFTP login credentials. We’ll use SSH keys and a script triggered at boot.

Prerequisites

• An Ubuntu Linux server with LUKS (Linux Unified Key Setup) full disk encryption or an encrypted folder.
• SFTP access configured for a user account on the server.
• The private SSH key associated with your SFTP login, accessible on the server. Important: Do not store this key insecurely!

Step-by-Step Guide

1. Verify Encryption Status
   • For a full disk encryption, check with:

     sudo cryptsetup status

   • For an encrypted folder (e.g., using ecryptfs), you’ll need to know the mount point and verify it’s not already mounted.
2. Create a Decryption Script

   This script will handle unlocking the drive/folder using your SSH key. Create a new file, for example /usr/local/bin/decrypt_drive.sh and make it executable.

   sudo nano /usr/local/bin/decrypt_drive.sh

   Add the following script content (replace placeholders with your actual values):

   #!/bin/bash
   
   # Configuration - CHANGE THESE VALUES!
   DEVICE="/dev/sda1"  # The device to decrypt (e.g., /dev/sda1 for full disk)
   MNT_POINT="/mnt/encrypted" # Mount point after decryption
   SSH_KEY_PATH="/home/youruser/.ssh/id_rsa" # Path to your private SSH key
   SFTP_USER="youruser"  # Your SFTP username
   
   # Check if the device is already unlocked.
   if cryptsetup status $DEVICE | grep -q "is encrypted"; then
     echo "Device $DEVICE is locked. Attempting decryption..."
   
     # Use ssh-agent to authenticate with your SSH key.
     eval "ssh-agent -s"
     ssh-add $SSH_KEY_PATH
   
     # Decrypt the device using cryptsetup and a passphrase derived from SFTP credentials.
     # This assumes you can derive a suitable passphrase from your username. Adapt as needed!
     PASSPHRASE=$(openssl dgst -sha256 <<< "$SFTP_USER") # Example: SHA256 hash of the username
     cryptsetup open $DEVICE encrypted_volume --key-file=$SSH_KEY_PATH --passphrase="$PASSPHRASE"
   
     if [ $? -eq 0 ]; then
       echo "Device $DEVICE decrypted successfully."
       mkdir -p $MNT_POINT
       mount /dev/mapper/encrypted_volume $MNT_POINT
       echo "Mounted at $MNT_POINT"
     else
       echo "Decryption failed. Check your SSH key path, passphrase derivation and permissions."
       exit 1
     fi
   else
     echo "Device $DEVICE is already unlocked." 
   fi
   
   exit 0

   Important Security Note: The example uses a simple SHA256 hash of the username as a passphrase. This is for demonstration only and is not secure enough for production environments. Consider more robust methods to derive a strong passphrase from your SFTP credentials, or use a dedicated key management system.

   sudo chmod +x /usr/local/bin/decrypt_drive.sh

3. Test the Script

   Run the script manually to ensure it works correctly before automating it.

   sudo /usr/local/bin/decrypt_drive.sh

   Check if the drive is unlocked and mounted as expected using df -h or lsblk.

4. Configure Automatic Decryption at Boot

   Edit the /etc/rc.local file to run the decryption script during boot. Note: This method is deprecated in newer Ubuntu versions; consider using systemd services (see Step 5 for an alternative).

   sudo nano /etc/rc.local

   Add the following line before the exit 0 line:

   /usr/local/bin/decrypt_drive.sh &

   Ensure that rc.local is executable:

   sudo chmod +x /etc/rc.local

5. (Recommended) Use a Systemd Service

   This is the preferred method for newer Ubuntu versions.

   • Create a systemd service file, e.g., /etc/systemd/system/decrypt_drive.service:

     sudo nano /etc/systemd/system/decrypt_drive.service

   • Add the following content (replace placeholders):

     [Unit]
     Description=Decrypt Drive Service
     After=network-online.target
     Wants=network-online.target
     
     [Service]
     Type=oneshot
     ExecStart=/usr/local/bin/decrypt_drive.sh
     RemainAfterExit=yes
     User=root  # Or the user that has permissions to decrypt
     
     [Install]
     WantedBy=multi-user.target

   • Enable and start the service:

     sudo systemctl enable decrypt_drive.service

     sudo systemctl start decrypt_drive.service

   • Check the service status:

     sudo systemctl status decrypt_drive.service

6. Security Considerations
   • SSH Key Protection: Protect your private SSH key with a strong passphrase and restrict its permissions (e.g., chmod 600 ~/.ssh/id_rsa).
   • Passphrase Derivation: The example SHA256 hash is insecure. Use a more robust method to derive a strong passphrase from your SFTP credentials, or consider using a dedicated key management system.
   • Audit Logging: Implement audit logging to track decryption attempts and failures.