Securing My Server With Dropbear SSH

Having a small home server I've always wanted to encrypt my files, however I have never wanted to be locked out if I'm far away. Enter dropbear ssh. A small light weight ssh server already packaged in debian to work prior to decryption.

Install

sudo apt update && sudo apt install dropbear-initramfs

Note: initramfs will kick up an error after installing dropbear-initramfs. This is solved after adding your public key

Add your ssh key

ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/dropbear.id_rsa
sudo cat ~/.ssh/dropbear.id_rsa.pub > /etc/dropbear-initramfs/authorized_keys

Changing the port

/etc/dropbear-initramfs/config

DROPBEAR_OPTIONS="-p 3000"

A little extra security

You can further secure dropbear by disabling forwarding and limiting it to only executing the cryptroot-unlock command.

Just add no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock" to the authorized_keys file in front of the ssh public key

It should look something like this:

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock" ssh-rsa A AQQQQQJJQQHx[...]

Finishing up

sudo update-initramfs -u

See the dropbear manpage for further details

Comments