Profile

nsg's blog

Unlock LUKS encrypted disk over SSH

2022-02-12

I just realized how easy it is to unlock the disk encryption password on a remote and/or headless server via SSH. There is a package called dropbear-initramfs that does exactly what is sounds like, it embeds a dropbear SSH server inside initramfs, cool!

Install and configure

apt install dropbear-initramfs

Edit /etc/dropbear-initramfs/config and use something like this:

DROPBEAR_OPTIONS="-j -k -p 2222 -s -c /usr/bin/cryptroot-unlock"

Place a public key in /etc/dropbear-initramfs/authorized_keys, regenerate the initramfs and you are done!

update-initramfs -u

Unlock

During boot the system will wait for you to SSH in and provide the key, it's a normal SSH session like this:

$ ssh 10.0.0.10 -p 2222 -l root
Please unlock disk dm_crypt-0: 
cryptsetup: dm_crypt-0 set up successfully
Connection to 10.0.0.10 closed.

Now everything boots normally!

Please note that this is a old post from the year 2022 and the information may be outdated. All these 101 words are written by Stefan Berggren, feel free and contact me if you like.