Intruduction

In this short tutorial, I will show you how to unlock your luks encrypted root file system on RHEL 8 / CentOS 8, remotely via SSH. To accomplish this task, we will use 3rd party dracut module - dracut-sshd.

Before we begin, we will need some details for our system - Ethernet device, IP address, NETMASK and Gateway.

In this example my configuration is as follow:

IP: 192.168.0.77
NETMASK: 255.255.0.0
GATEWAY: 192.168.0.1
Ethernet: eth0

Generate SSH key pair

We need to generate a public-private ssh keys and include them in initramfs.

ssh-keygen -t rsa 
ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.0.77

Install dracut-sshd

This Dracut module (dracut-sshd) integrates the OpenSSH sshd into the initramfs. It allows for remote unlocking of a fully encrypted root filesystem and remote access to the Dracut emergency shell (i.e. early userspace). [1]

dnf copr enable gsauthof/dracut-sshd
dnf install dracut-sshd

Enable dracut Network

Here, we add early network capabilities to initramfs. Update network configuration to match your requirements.

cat <<EOF  >> /etc/dracut.conf.d/99-network.conf
kernel_cmdline="ip=192.168.0.77::192.168.0.1:255.255.0.0:VerySecureVM:eth0:off"
EOF

Syntax is:

ip<client-IP-number>:[<server-id>]:<gateway-IP-number>:<netmask>:<client-hostname>:<interface>:{dhcp|dhcp6|auto6|on|any|none|off}

Force Dracut initram regeneration

In order to include our SSH keys and dracut network configuration, we will force dracut to regenerate initramfs image.

dracut -f

Flush Dracut network configuration

Since IP address configuration is set via kernel, NetworkManager will not load your configuration from real root filesystem. This will be a problem if you have IP aliasess, bonds, bridge, vlans & etc. configured on your real root.

If your system has one IP address, you can skip these steps.

cat <<EOF >> /etc/systemd/system/flush-dracut-network\@.service
[Unit]
Description=Remove dracut's network configuration for %I
Before=network-pre.target
Wants=network-pre.target

[Service]
ExecStartPre=/usr/sbin/ip address show %i
ExecStart=/usr/sbin/ip -statistics address flush dev %i

[Install]
WantedBy=default.target
EOF

Enable systemd unit to flush dracut configuration on our ethernet interface.

systemctl enable flush-dracut-network@eth0

Reboot your machine and test : )

Once the initrd load and network is fired up, you should be able to login via SSH and unlock your encrypted root file system with single command - systemd-tty-ask-password-agent. Here is an example:

ssh root@192.168.0.77
initramfs-ssh:/root# systemd-tty-ask-password-agent
Please enter passphrase for disk QEMU_HARDDISK (luks-01a6fbf5-779e-47c0-b7bd-efca0252d5d9)! ********
initramfs-ssh:/root# Connection to 192.168.0.77 closed by remote host.
Connection to 192.168.0.77 closed.

References:
[1] https://github.com/gsauthof/dracut-sshd
[2] https://access.redhat.com/solutions/3017441
[3] https://unix.stackexchange.com/questions/506331/networkmanager-doesnt-change-ip-address-when-dracut-cmdline-provided-static-ip
[4] Photo: Markus Winkler