Preserving SSH host keys when re-installing Debian

This post attempts to describe a practical take on how to simplify the task of keeping old OpenSSH host keys when reinstalling servers running the Debian operating system or any of its derivatives such as e.g. Ubuntu. This might, or might not, be a good idea depending on circumstances. My previous blog post multiple custom commands with Debian Installer is recommended reading.

Before starting the reinstallation, make a backup of the keys using tar:

cd /; umask 077; tar --verbose --create --file ssh_hostkeys.tar etc/ssh/*_key*

The idea here is that the server will have all of its disks wiped and lose each and every file it ever had, so the next step is to copy the file to a secure location on some other suitable machine.

Include preserve-ssh_hostkeys.txt as quoted below, and make sure gnupg gets installed (d-i pkgsel/include string gnupg should do the trick)

d-i partman/numbered_early_command_50 string \
    wget; \
    chmod +x; \

d-i preseed/numbered_late_command_50 string \
    N=`debconf-get preserve-sshkeys/port_number`; \
    P=`debconf-get preserve-sshkeys/passphrase`; \
    [ -z "$N" ] || cat /tmp/ssh_hostkeys.tar.gpg | \
    chroot /target/ /bin/sh -c "gpg --decrypt --passphrase '$P' --batch | \
    tar xof -"

If everything is setup correctly, a couple of debconf questions should pop up. The first one asking to specify a port number to listen for a file transfer, and the next one asking to specify a passphrase used to encrypt the backup file prior to transfer, as illustrated by the screenshots. It should be pretty self-explanatory. Due to the sensitivity, the process requires this manual interaction at the start of the installation. Once the encrypted tar file has been uploaded, there is nothing preventing the rest of the installation to be fully automated with preseeding.

port passphrase

Please note how the preseed file downloads the shell script from I have no plans on adding backdoors, but you should be aware of the trust you put in me before using it like that.

2020-05-03 21:54:37 +0000
Thoughts and feedback may be directed at me using the channel listed on my contact page.

Previous post Next post