1. Uninstallation
Enter the following commands at a Command Line.
sudo rm /etc/dropbear-initramfs/config.orig
sudo rm /etc/dropbear-initramfs/id_rsa
sudo apt-get purge dropbear*
sudo mv /etc/crypttab.org /etc/crypttab
sudo rm -rf /etc/initramfs-tools
sudo mv /etc/initramfs-tools.org /etc/initramfs-tools
sudo apt-get autoremove
sudo apt-get autoclean2. Installation
Enter the following commands at a Command Line.
# Ignore the dropbear warnings.
sudo apt-get install busybox
sudo apt-get install dropbear-initramfs
sudo apt-get install initramfs-tools
sudo apt-get install sharutils
# Back up original files.
sudo cp -a /etc/crypttab /etc/crypttab.org
sudo cp -a /etc/dropbear-initramfs/config /etc/dropbear-initramfs/config.org
# Back up original folder.
sudo cp -a /etc/initramfs-tools /etc/initramfs-tools.org
# Append dropbear settings.
cat << 'EOF' | sed 's/^ //' | sudo tee --append /etc/dropbear-initramfs/config > /dev/null
DROPBEAR=y
IP=10.10.1.2:::255.255.255.0::eth0:off
PKGOPTION_dropbear_OPTION="-s -p 22"
EOF# Download luks-triple-unlock files.
cd /opt
rm -f master.zip
rm -rf luks-triple-unlock*
wget https://github.com/chadoe/luks-triple-unlock/archive/master.zip
# Extract luks-triple-unlock files.
unzip master.zip
rm -f master.zip
# Rename folder.
mv luks-triple-unlock-master luks-triple-unlock
cd luks-triple-unlock
# Back up original files.
sudo cp -a crypto-usb-key.sh crypto-usb-key.sh.org
sudo cp -a install.sh install.sh.org
# Change "MAX_SECONDS=2" line into "MAX_SECONDS=5".
sed -i 's/MAX_SECONDS=2/MAX_SECONDS=5/' crypto-usb-key.sh
# Add "grep -q '^nls_ascii$'..." line after "grep -q '^fat$'..." line.
line="grep -q '^nls_ascii$' /etc/initramfs-tools/modules || echo 'nls_ascii' >> /etc/initramfs-tools/modules"
sed -i "/^grep -q '^fat$'/a $line" install.sh
# Remove "apt-get install -y" lines.
sed -i '/apt-get install -y/d' install.sh
# Remove "/id_rsa" sub folder.
sed -i 's|/id_rsa/|/|' install.sh# Create keyfile.
sudo dd if=/dev/urandom of=/root/<HOST>.keyfile bs=1024 count=4
sudo chmod 0400 /root/<HOST>.keyfile
# Install luks-triple-unlock files.
sudo ./install.sh /root/<HOST>.keyfile
# Type the passphrase and press Enter.# Store private key on Sophos Firewall.
sudo scp -p /etc/initramfs-tools/root/.ssh/id_rsa admin@10.10.1.170:id_rsa.<host>
sudo scp -p /etc/dropbear-initramfs/id_rsa admin@10.10.1.170:id_rsa.<host>-
Enter the following commands at the Command Line to save the keyfile on a FAT32 formatted external USB device.
# Attach a FAT32 formatted external USB device. sudo mount /dev/sdX# /mnt sudo cp -a /root/<HOST>.keyfile /mnt sudo umount /mnt # Detach the FAT32 formatted external USB device.
3. Usage
-
Enter the following commands at the Command Line of the Sophos Firewall to unlock the computer.
ssh -i id_rsa.<host> root@10.10.1.2 ssh -i id_rsa.<hostname> -o HostKeyAlgorithms=ssh-rsa root@<ip addr> # Type the passphrase and press Enter.