Ubuntu: How can I automatically log into a fully encrypted Ubuntu system without a password prompt?



Question:

I've recently installed Ubuntu with a full disk encryption which means I have to enter a password at boot to get the system up and running. This is excellent and exactly what I want for the future.

Right now though, as I am installing software, I would like to temporarily turn of the password request, having the system boot automatically. I know this defeats the point of encryption, but I am getting tired of having to connect an external monitor everytime I reboot. I'd prefer to, for the time being, to be able to reboot the encrypted system via ssh.

Once all the software I require is in place, I plan to bring the password request back.

Anybody know how I do this?


Solution:1

I don't think this is possible, by design. In order for SSH to come up the boot would have had to progress to a certain point (network up, etc) and that all requires the disk to be unencrypted.

I do have a couple of alternatives though:

  1. Just encrypt homes. This would work well enough for a desktop system but if you're headless and only using SSH, this leaves you in the position where you wouldn't be able to SSH in with public key authentication (password still works AFAIK).

  2. Embed the system below a virtualisation hypervisor that supports a KVM forwarder. This first requires a base installation of an operating system. Ubuntu will do. Then you install Xen in that, and then create a virtual cubby hole for your server and install into that. That's obviously the abridged version of how you'd do that, more here.

    With Xen you can then xm list to get the ID of your virtual server, and then xm console <id> to get console access. In your case, this should present you with a prompt to unlock the server.

    If the base computer is otherwise graphical, you could simplify this process by using something like VMWare and VNCing in but this won't give you as good performance as Xen. I don't think lighter options like LXC will work here.

I don't think there's an easy migration in either of these cases; you'll have to reinstall. As Uli says, is all this commotion worth it?

A couple more physical options:

  1. A real KVM. This essentially lets you switch one keyboard, monitor and mouse between two computer. For VGA and PS/2 connectors this is cheap. If you want HDMI and USB it's probably more expensive.

  2. KVM over IP. A little box you plug into your video card and keyboard/mouse ports and your network. Then you just VNC into the box and you have like-physical access. Unfortunately these are quite costly. Cheapest I could find was ~£230 which is about nine times as much as a standard KVM.


Solution:2

You can arrange for a "keyscript" to supply the decryption passphrase at boot time. The keyscript is just a program that can do whatever it needs to do to get the passphrase, including fetching it over the network.

I wanted to to be able to boot a headless system by supplying the passphrase over the network, with the caveat that I understand that the network must be secure at the time that I supply the passphrase. I achieve this security by disconnecting the LAN cable and plugging in a crossover, which I can do as I have easy physical access. This is still easier than plugging in a keyboard and monitor, as I don't have any nearby.

To do this, I wrote a keyscript that waits for a passphrase to be supplied over the network. The keyscript and some instructions are on Github.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »