Remotely unlock a LUKS-encrypted Linux server using Dropbear

Last edited on 2023-08-03 Tagged under  #ssh   #network   #debian   #linux   #luks   #homeServer 

When I use LUKS to encrypt the root partition on my Linux server, I need to supply the crypt passphrase at boot to unlock the system for startup to continue and get to login. All well and good if I'm sitting in front of the machine with a keyboard and display. But what if it's a headless server? Or located in a remote location?

Enter Dropbear. Install this tiny SSH server into the server's initramfs, and use SSH keys to login from a client at boot and unlock.


  • Server is running Debian 12; hostname foobox
  • Server has the openssh-server package installed and configured
  • Access and unlock the server using a Linux client device

1. On the server: Install dropbear

$ sudo apt install dropbear-initramfs

This generates a warning message ...

dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!

Fix that in the next steps by creating a new authorized_keys file and adding the client's SSH key.

2. Keys

The version of Dropbear packaged in Debian does not support ed25519 keys. Use rsa.

2.1 On the client: Generate key

Generate an SSH key for Dropbear ...

$ ssh-keygen -t rsa -f ~/.ssh/unlock_luks

2.2 On the client: Upload key

Copy the newly-generated public key to the server ...

$ scp ~/.ssh/ foobox:~/

2.3 On the server: Add key

Login to server.

Add the public key to /etc/dropbear/initramfs/authorized_keys ...

$ sudo sh -c 'cat >> /etc/dropbear/initramfs/authorized_keys'

Change the file permissions ...

$ sudo chmod 600 /etc/dropbear/initramfs/authorized_keys

3. Dropbear.conf

Edit /etc/dropbear/initramfs/dropbear.conf ...

DROPBEAR_OPTIONS="-I 600 -j -k -p 2222 -s"

Dropbear options:

  • -I 600 # Disconnect the session if no traffic is transmitted or received for 600 seconds
  • -j # Disable local port forwarding
  • -k # Disable remote port forwarding
  • -p 2222 # Listen on port 2222
  • -s # Disable password logins

4. Initramfs.conf

Note: This setup is for making connections over wired ethernet. For wireless connections, see: Enable Wireless networks in Debian initramfs

Edit /etc/initramfs-tools/initramfs.conf. Example ...


IP options:

  • -- Server IP address; note the double colon
  • -- Gateway IP address
  • -- Subnet mask
  • foobox -- Server hostname

Note: If you have more than one network interface, append the desired interface name to the IP= line above (example: IP=...:foobox:eth02).

Update initramfs whenever making changes to /etc/dropbear-initramfs/config or /etc/initramfs-tools/initramfs.conf ...

$ sudo update-initramfs -u -k all

Link: HOWTO Set Static IP on boot in initramfs for Dropbear

5. Login

Reboot server, then:

  • Login via ssh
  • Enter the ssh key passphrase
  • At the prompt, run command cryptroot-unlock
  • Enter the LUKS passphrase to unlock encrypted root partition
$ ssh -i ~/.ssh/unlock_luks -p 2222 -o "HostKeyAlgorithms ssh-rsa" root@
Enter passphrase for key '/home/foo/.ssh/unlock_luks': 
To unlock root partition, and maybe others like swap, run `cryptroot-unlock`.

BusyBox v1.30.1 (Debian 1:1.30.1-6+b3) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # cryptroot-unlock

System finishes the boot sequence.

6. Alias

Create an ssh alias for unlocking the server in the client's ~/.ssh/config ...

#: foobox - unlock server at boot
Host unlock-foobox
    User root
    Port 2222
    IdentityFile ~/.ssh/unlock_luks
    HostKeyAlgorithms ssh-rsa
    RequestTTY yes
    RemoteCommand cryptroot-unlock

Then a simple ssh unlock-foobox and entering the correct passphrases for the SSH key followed by the encrypted partition (example: sda3_crypt) will do the trick ...

$ ssh unlock-foobox
Please unlock disk sda3_crypt: 
cryptsetup: sda3_crypt set up successfully
Connection to closed.
Thanks for reading! Read other posts?

» Next: #25. Space CPU

« Previous: Create a multiboot Linux USB installer with Ventoy