EMail Notification to Unlock LUKS encrypted disk via Dropbear SSH

2022-03-16T00:00:00+01:00

I'm running Proxmox VE Hosts with full encrypted disks and Dropbear SSH to unlock them remotely. I wanted to get notified when I have to login and enter the key, e.g. in case of an unexpected reboot.

My setup is based on the mailjet Free Tier (6000 Mails / Month, 200 Mails / Day) and some initramfs customizing to include curl, a few other required libraries and a simple script to send an API request, tested on PVE 7.1 / Debian 11 (bullseye)

I will enclose placeholder in < >, please replace them with appropriate values based on your Environment.

The hook script /etc/initramfs-tools/hooks/curl take care that curl, libnss_dns and a resolv.conf are included in the initramfs:

#!/bin/sh

PREREQ=""

prereqs()
{
        echo "$PREREQ"
}

case $1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

. /usr/share/initramfs-tools/hook-functions

copy_exec /usr/bin/curl /bin

# Fix DNS resolver
cp -a /usr/lib/x86_64-linux-gnu/libnss_dns* $DESTDIR/usr/lib/x86_64-linux-gnu/
printf "nameserver <dns_server1_ipv4_address>\nnameserver <dns_server2_ipv4_address>\n" > $DESTDIR/etc/resolv.conf

The actual notification will be send by /etc/initramfs-tools/scripts/init-premount/notification through the mailjet API. You shouldn't have a problem to adjust it to use any other Service as long you can trigger a API via curl :)

#!/bin/sh

PREREQ=""

prereqs()
{
        echo "$PREREQ"
}

case $1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

. /scripts/functions

configure_networking

/bin/curl --insecure -s \
-X POST \
--user "<mailjet_api_user>:<mailjet_api_pass>" \
https://api.mailjet.com/v3.1/send \
-H 'Content-Type: application/json' \
-d '{
  "Messages":[
    {
      "From": {
        "Email": "<sender_email>",
        "Name": "<sender_name>"
      },
      "To": [
        {
          "Email": "<recipient_mail>",
          "Name": "<recipient_name>"
        },
        {
          "Email": "<recipient2_mail>",
          "Name": "Pushover"
        }
      ],
      "Subject": "Action required: Unlock <fqdn>!",
      "TextPart": "Server <fqdn> was restarted and need to be unlocked to proceed boot sequence.",
      "CustomID": "DropbearUnlockRequest"
    }
  ]
}'

I'm also using Pushover to receive notifications on my mobile, they offer mail2push, so I just added my personal pushover address as second recipient to get notified by Mail and Pushover.

Make both scripts executable:

chmod +x /etc/initramfs-tools/hooks/curl`
chmod +x /etc/initramfs-tools/scripts/init-premount/notification

Run update-initramfs -u and you are good to go, during the next reboot you should receive an Email Notification to enter your LUKS Key and unlock your disk.

The Wombelix Post - LUKS

EMail Notification to Unlock LUKS encrypted disk via Dropbear SSH