Securing My Server With Dropbear SSH
Having a small home server I've always wanted to encrypt my files, however I have never wanted to be locked out if I'm far away. Enter dropbear ssh. A small light weight ssh server already packaged in debian to work prior to decryption.
Install
sudo apt update && sudo apt install dropbear-initramfs
Note: initramfs will kick up an error after installing dropbear-initramfs. This is solved after adding your public key
Add your ssh key
ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/dropbear.id_rsa sudo cat ~/.ssh/dropbear.id_rsa.pub > /etc/dropbear-initramfs/authorized_keys
Changing the port
/etc/dropbear-initramfs/config
DROPBEAR_OPTIONS="-p 3000"
A little extra security
You can further secure dropbear by disabling forwarding and limiting it to only executing the cryptroot-unlock
command.
Just add no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock"
to the authorized_keys
file in front of the ssh public key
It should look something like this:
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock" ssh-rsa A AQQQQQJJQQHx[...]
Finishing up
sudo update-initramfs -u
Comments