Back to TIL
shell

Ubuntu 24.04 LTS Dropbear Setup

I played around with LUKS encryption in one of my Ubuntu Proxmox VMs. Quickly ran into the first inconvenience: having to type in the decryption password every single time I reboot the VM. The Proxmox noVNC console isn’t really great with copy and paste on macOS. So, having to type it by hand all the time was painful.

I knew that Dropbear (a tiny ssh server) is the solution to that, I just never configured it. It was quite straightforward.

This is my documentation:

sudo apt install dropbear-initramfs

The configuration I’ve sourced from other pages and gists I found:

DROPBEAR_OPTIONS="-I 180 -j -k -p 22 -s -c cryptroot-unlock"
  • -I 180: disconnect if nothing is received within 180 seconds
  • -j: disable local port forwarding
  • -k: disable remote port forwarding
  • -p: listen on port 22 (default ssh)
  • -s: disable password logins (we’ll add our public key later)
  • -c: execute the given command (cryptroot-unlock) after successful authentication.

Some like to change the default ssh port. Personally, I’m only doing this at home with trusted clients on the subnet, so I don’t really mind using the default ssh port.

Another thing to note: Most tutorials also configure a static ip. I’m not doing that as I can find the IP via my router interface quite easily.

Then, create the authorized_keys:

vim /etc/dropbear/initramfs/authorized_keys

Add your public key:

ssh-ed25519 ABCDEFHIJK0123456789 luis

Adjust the permission:

chmod 600 /etc/dropbear/initramfs/authorized_keys

Let Dropbear integrate itself into the boot process:

update-initramfs -u

Verify that this command doesn’t output any warning. E.g. it will tell you if it can’t read the authorized_keys.

If all is well, it’s time to reboot.

reboot

After a couple of seconds, I tried connecting to my vm via ssh:

ssh root@myvm-ip

Which of course led me to this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
00000000000000000000000000000000000000000000000000.
Please contact your system administrator.
Add correct host key in /Users/luis/.ssh/known_hosts to get rid of this message.
...

Why? Because Dropbear has its own host identification. So the warning is quite alright. To fix it, I added the new host keys to my known_hosts. You can have multiple valid host keys per host in there.

ssh-keyscan myvm-ip | pbcopy

Then add them at the bottom of your ~/.ssh/known_hosts.

After that, retry ssh:

ssh root@myvm-ip

It should greet you with:

Please unlock disk dm_crypt-0:

Woop woop!