nsg's blog

Unlock LUKS encrypted disk over SSH


I just realized how easy it is to unlock the disk encryption password on a remote and/or headless server via SSH. There is a package called dropbear-initramfs that does exactly what is sounds like, it embeds a dropbear SSH server inside initramfs, cool!

Install and configure

apt install dropbear-initramfs

Edit /etc/dropbear-initramfs/config and use something like this:

DROPBEAR_OPTIONS="-j -k -p 2222 -s -c /usr/bin/cryptroot-unlock"

Place a public key in /etc/dropbear-initramfs/authorized_keys, regenerate the initramfs and you are done!

update-initramfs -u


During boot the system will wait for you to SSH in and provide the key, it's a normal SSH session like this:

$ ssh -p 2222 -l root
Please unlock disk dm_crypt-0: 
cryptsetup: dm_crypt-0 set up successfully
Connection to closed.

Now everything boots normally!

Pages that link here are Encrypted ZFS and they may be relevant. All these 144 words are written by Stefan Berggren, feel free and contact me if you like.