Automated LUKS Drive Unlocking via SSH Key File from Remote Ubuntu Server in Cloud Environments

When dealing with encrypted non-root partitions on cloud servers, we face a unique dilemma: we need automatic boot-time decryption while maintaining security. Storing LUKS keyfiles locally defeats the encryption's purpose, yet cloud providers often prevent root partition encryption.

The Mandos system provides a potential solution, but has limitations for our cloud scenario. While designed primarily for root filesystems, Mandos can technically work with any LUKS-encrypted drive by modifying the initramfs scripts. The intranet limitation can be overcome using VPN connections between servers.

Here's a practical implementation using SSH for key retrieval:

#!/bin/bash
# /etc/crypttab entry:
# data_crypt UUID=... /etc/luks/keyfile sshkeyscript

# Script at /etc/luks/keyfile
#!/bin/bash
ssh -i /root/.ssh/luks_unlock_id_rsa user@remote-server "cat /secure/luks/keyfile"

Critical security measures for this approach:

Use SSH certificates instead of passwords
Restrict the unlock key's permissions (600)
Implement IP whitelisting on the remote server
Use separate SSH key pairs for each server

For more robust implementation, create a systemd service:

[Unit]
Description=Remote LUKS key retrieval
Before=cryptsetup.target
After=network-online.target
Requires=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/bin/ssh -i /etc/ssh/luks.key -o StrictHostKeyChecking=yes user@remote-host "cat /secure/luks.key" > /run/luks.key
ExecStartPost=/bin/cryptsetup luksOpen --key-file /run/luks.key /dev/sdb1 data_crypt
ExecStopPost=/bin/shred -u /run/luks.key

[Install]
WantedBy=multi-user.target

For environments requiring VPN connectivity first:

#!/bin/bash
# First establish VPN connection
wg-quick up wg0
# Then retrieve key
ssh -i /etc/ssh/luks.key user@remote-internal-host "cat /secure/luks.key"

Implement monitoring to ensure availability:

#!/bin/bash
if ! ping -c 1 remote-host; then
    systemctl restart vpn-connection
    sleep 5
    if ! ssh -q -i /etc/ssh/luks.key user@remote-host exit; then
        echo "Critical: Cannot reach key server" | mail -s "LUKS unlock failure" admin@example.com
    fi
fi

When managing cloud servers with encrypted non-root partitions, we face a critical paradox: We need automatic boot capability for unattended reboots, but storing decryption keys locally would defeat the whole purpose of encryption. This becomes particularly challenging in public cloud environments where we cannot encrypt the root partition.

While Mandos is a popular solution, it has limitations for our use case:

1. Primarily designed for root filesystems
2. Default configuration assumes LAN connectivity
3. Doesn't natively support arbitrary block devices

Here's a robust approach using SSH for secure key retrieval:

#!/bin/bash
# /etc/crypttab entry:
# sda5_crypt UUID=... /boot/remote_keyfile sshkeyserver=192.168.1.100

REMOTE_SERVER="your.remote.server"
KEY_PATH="/path/to/remote/luks.key"
LOCAL_MOUNTPOINT="/mnt/decrypted"
CRYPT_DEVICE="sda5_crypt"

if ! ssh -i /etc/ssh/keys/id_rsa $REMOTE_SERVER "cat $KEY_PATH" | cryptsetup open --key-file=- /dev/sda5 $CRYPT_DEVICE; then
    echo "Failed to unlock device" >&2
    exit 1
fi

For production environments, wrapping the SSH connection in a VPN provides additional security:

# OpenVPN configuration example (client-side)
client
dev tun
proto udp
remote vpn.yourdomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
remote-cert-tls server
cipher AES-256-CBC

Creating a custom systemd service ensures proper boot sequencing:

# /etc/systemd/system/remote-luks.service
[Unit]
Description=Remote LUKS unlock
Before=remote-fs.target
After=network-online.target sshd.service

[Service]
Type=oneshot
ExecStart=/usr/local/bin/unlock-luks-remote
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target