2022-02-12
I just realized how easy it is to unlock the disk encryption password on a remote and/or headless server via SSH. There is a package called dropbear-initramfs that does exactly what is sounds like, it embeds a dropbear SSH server inside initramfs, cool!
Install and configure
apt install dropbear-initramfs
Edit /etc/dropbear-initramfs/config and use something like this:
DROPBEAR_OPTIONS="-j -k -p 2222 -s -c /usr/bin/cryptroot-unlock"
Place a public key in /etc/dropbear-initramfs/authorized_keys, regenerate the initramfs and you are done!
update-initramfs -u
Unlock
During boot the system will wait for you to SSH in and provide the key, it's a normal SSH session like this:
$ ssh 10.0.0.10 -p 2222 -l root
Please unlock disk dm_crypt-0:
cryptsetup: dm_crypt-0 set up successfully
Connection to 10.0.0.10 closed.
Now everything boots normally!