Remotely unlock a LUKS-encrypted Linux server using Dropbear
Part of "New life for an old laptop as a Linux home server"
When I use LUKS to encrypt the root partition on my Linux server, I need to supply the crypt passphrase at boot to unlock the system for startup to continue and get to login. All well and good if I'm sitting in front of the machine with a keyboard and display. But what if it's a headless server? Or located in a remote location?
Enter Dropbear. Install this tiny SSH server into the server's
initramfs, and use SSH keys to login from a client at boot and unlock.
Example: Server is running Debian 10 aka buster, hostname is
foobox, located at IP address
openssh-server, and I'm using a Linux client to connect.
1. On the server, install ...
$ sudo apt install dropbear-initramfs
This generates a warning message ...
dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!
Fix that in the next steps by creating a new
authorized_keys file and adding the client's SSH key.
2. Version of Dropbear packaged in Debian buster/stable does not support
ed25519 keys. Use
On the client, generate an SSH key for Dropbear ...
$ ssh-keygen -t rsa -f ~/.ssh/unlock_luks
Copy the newly-generated public key to server ...
$ scp ~/.ssh/unlock_luks.pub 192.168.0.50:~/
3. Login to server, add the public key to
$ ssh 192.168.0.50 $ sudo sh -c 'cat unlock_luks.pub >> /etc/dropbear-initramfs/authorized_keys'
DROPBEAR_OPTIONS="-I 300 -j -k -p 2222 -s"
-I 300# Disconnect the session if no traffic is transmitted or received for 300 seconds
-j# Disable local port forwarding
-k# Disable remote port forwarding
-p 2222# Listen on port 2222
-s# Disable password logins
192.168.0.50# Address; note the double colon
255.255.255.0# Subnet mask
Link: HOWTO Set Static IP on boot in initramfs for Dropbear
initramfs whenever making changes to
$ sudo update-initramfs -u
Login to server ...
$ ssh -i ~/.ssh/unlock_luks -p 2222 -o "HostKeyAlgorithms ssh-rsa" email@example.com
System continues bootup.
8. Create/set an alias for unlocking the server in
#: foobox - unlock server at boot Host unlock-foobox Hostname 192.168.0.50 User root Port 2222 IdentityFile ~/.ssh/unlock_luks HostKeyAlgorithms ssh-rsa
Then a simple ...
$ ssh unlock-foobox
... will do the trick!
» Later: Sync files across all computers using Syncthing
« Earlier: Create a multiboot USB installer with Ventoy