nsg's blog

Unlock LUKS encrypted disk over SSH

2022-02-12
luks ssh

I just realized how easy it is to unlock the disk encryption password on a remote and/or headless server via SSH. There is a package called dropbear-initramfs that does exactly what is sounds like, it embeds a dropbear SSH server inside initramfs, cool!

Install and configure

apt install dropbear-initramfs

Edit /etc/dropbear-initramfs/config and use something like this:

DROPBEAR_OPTIONS="-j -k -p 2222 -s -c /usr/bin/cryptroot-unlock"

Place a public key in /etc/dropbear-initramfs/authorized_keys, regenerate the initramfs and you are done!

update-initramfs -u

Unlock

During boot the system will wait for you to SSH in and provide the key, it's a normal SSH session like this:

$ ssh 10.0.0.10 -p 2222 -l root
Please unlock disk dm_crypt-0: 
cryptsetup: dm_crypt-0 set up successfully
Connection to 10.0.0.10 closed.

Now everything boots normally!

Please note that this is a old post from the year 2022 and the information may be outdated. Pages that link here are Encrypted ZFS and they may be relevant. All these 101 words are written by Stefan Berggren, feel free and contact me if you like.