Unlock LUKS encrypted disk over SSH

I just realized how easy it is to unlock the disk encryption password on a remote and/or headless server via SSH. There is a package called dropbear-initramfs that does exactly what is sounds like, it embeds a dropbear SSH server inside initramfs, cool!

Install and configure

1
apt install dropbear-initramfs

Edit /etc/dropbear-initramfs/config and use something like this:

1
DROPBEAR_OPTIONS="-j -k -p 2222 -s -c /usr/bin/cryptroot-unlock"

Place a public key in /etc/dropbear-initramfs/authorized_keys, regenerate the initramfs and you are done!

1
update-initramfs -u

Unlock

During boot the system will wait for you to SSH in and provide the key, it’s a normal SSH session like this:

1
2
3
4
$ ssh 10.0.0.10 -p 2222 -l root
Please unlock disk dm_crypt-0: 
cryptsetup: dm_crypt-0 set up successfully
Connection to 10.0.0.10 closed.

Now everything boots normally!