Remotely unlock a LUKS-encrypted Linux server using Dropbear

Last updated on 2021-06-08 Tagged under  # ssh  # network  # debian  # linux

Part of "New life for an old laptop as a Linux home server"

When I use LUKS to encrypt the root partition on my Linux server, I need to supply the crypt passphrase at boot to unlock the system for startup to continue and get to login. All well and good if I'm sitting in front of the machine with a keyboard and display. But what if it's a headless server? Or located in a remote location?

Enter Dropbear. Install this tiny SSH server into the server's initramfs, and use SSH keys to login from a client at boot and unlock.

Let's go!

Example: Server is running Debian 10 aka buster, hostname is foobox, located at IP address 192.168.0.50, running openssh-server, and I'm using a Linux client to connect.

1. On the server, install ...

$ sudo apt install dropbear-initramfs

This generates a warning message ...

dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!

Fix that in the next steps by creating a new authorized_keys file and adding the client's SSH key.

2. Version of Dropbear packaged in Debian buster/stable does not support ed25519 keys. Use rsa.

On the client, generate an SSH key for Dropbear ...

$ ssh-keygen -t rsa -f ~/.ssh/unlock_luks

Copy the newly-generated public key to server ...

$ scp ~/.ssh/unlock_luks.pub 192.168.0.50:~/

3. Login to server, add the public key to /etc/dropbear-initramfs/authorized_keys ...

$ ssh 192.168.0.50
$ sudo sh -c 'cat unlock_luks.pub >> /etc/dropbear-initramfs/authorized_keys'

4. Edit /etc/dropbear-initramfs/config ...

DROPBEAR_OPTIONS="-I 300 -j -k -p 2222 -s"

Dropbear options:

5. Edit /etc/initramfs-tools/initramfs.conf ...

IP=192.168.0.50::192.168.0.1:255.255.255.0:foobox

IP options:

Link: HOWTO Set Static IP on boot in initramfs for Dropbear

6. Update initramfs whenever making changes to /etc/dropbear-initramfs/config or /etc/initramfs-tools/initramfs.conf ...

$ sudo update-initramfs -u

7. Reboot.

Login to server ...

$ ssh -i ~/.ssh/unlock_luks -p 2222 -o "HostKeyAlgorithms ssh-rsa" root@192.168.0.50

Unlock ...

# cryptroot-unlock

System continues bootup.

8. Create/set an alias for unlocking the server in ~/.ssh/config ...

#: foobox - unlock server at boot
Host unlock-foobox
    Hostname 192.168.0.50
    User root
    Port 2222
    IdentityFile ~/.ssh/unlock_luks
    HostKeyAlgorithms ssh-rsa

Then a simple ...

$ ssh unlock-foobox

... will do the trick!


» Later: Sync files across all computers using Syncthing

« Earlier: Create a multiboot USB installer with Ventoy