I just realized how easy it is to unlock the disk encryption password on a remote and/or headless server via SSH. There is a package called
dropbear-initramfs that does exactly what is sounds like, it embeds a dropbear SSH server inside initramfs, cool!
Install and configure
apt install dropbear-initramfs
/etc/dropbear-initramfs/config and use something like this:
DROPBEAR_OPTIONS="-j -k -p 2222 -s -c /usr/bin/cryptroot-unlock"
Place a public key in
/etc/dropbear-initramfs/authorized_keys, regenerate the initramfs and you are done!
During boot the system will wait for you to SSH in and provide the key, it's a normal SSH session like this:
$ ssh 10.0.0.10 -p 2222 -l root Please unlock disk dm_crypt-0: cryptsetup: dm_crypt-0 set up successfully Connection to 10.0.0.10 closed.
Now everything boots normally!