Unlocking LUKS encrypted LVM via SSH in Ubuntu

If you've followed the instructions /usr/share/doc/cryptsetup/README.remote.gz on recent versions of Ubuntu you've probably found that you are unable to log into the dropbear instance that you set up. This turns out to be the result of what I assume to be a bug in the dropbear hook script in initramfs-tools. Recent versions of Ubuntu seem to have reorganized the /lib directory and moved some files needed by dropbear without which it'll not be able to find "root" as a valid user.

First, run the following command to determine where the files you need are located:

find /lib -name libnss_files.so.2

On my system, I get the following:

/lib/i386-linux-gnu/libnss_files.so.2

The part you are interested in is the "i386-linux-gnu" part.

Now, edit (as root) /usr/share/initramfs-toosl/hooks/dropbear. Look around line 30 for the following:

cp /lib/libnss_* "${DESTDIR}/lib/"

Replace that with:

cp /lib/i386-linux-gnu/libnss_* "${DESTDIR}/lib/"

Now, as root, run the following:

update-initramfs -u

Reboot and you should now at least be able to connect to the dropbear instance with the dropbear key that was automagically generated.

Now, the next problem is plymouth. All the work-arounds I've found seem to either flat out not work as described or break plymouth such that you'll not be able to enter the unlock passphrase as the console should you choose to do so.

Use the steps below to work-around the plymouth issue (tested on Natty 11.04). This work-around will at least guarantee that plymouth is still able to unlock the LUKS root volume at the console should you choose to do so.

1) run "ps aux" and located the process id for the /scripts/local-top/cryptroot script
2) run "kill -9 pid" replacing pid with the process id you found in step 1
3) run "ps aux" again and look for a wait-for-root script and note the timeout on the command line
4) twiddle you thumbs for that many seconds - what will happen is that script will exit and start an initramfs shell
5) run "/scripts/local-top/cryptroot" and wait for it to prompt for your unlock passphrase
6) enter the unlock passphrase and wait for it to return you to the busybox shell prompt
7) run "ps aux" again and locate the process id of "/bin/sh -i"
8) run "kill -9 pid" using the process id you found from step 7

initramfs should be continuing the boot process at this point with your mounted root volume. You'll know this is happening because dropbear just had "/" yanked out from underneath it and you'll not be able to run any more commands in your ssh session as /bin no longer is available. Go ahead and disconnect and wait an appropriate amount of time for your system to finish starting up. After your system has finished booting, you should now be able to connect to it remotely just as if you had typed your unlock passphrase into the console.

If someone more knowledgeable than me with the inner workings of initramfs-tools and plymouth wants to comment on this article please feel free to. Since I don't even know if this is an Ubuntu vs upstream problem I haven't filed a proper bug report.