Remotely unlocking LUKS encrypted headless system

Define a fixed IP address for initramfs in /etc/initramfs-tools/initramfs.conf otherwise the kernel will try to get an address via DHCP (eth0 has to be adapted to the actual network card for Debian Stretch, such as enp3s0):


Install dropbear which automatically gets installed into the initramfs and implicitly updates the initramfs image:

apt-get install dropbear
  • For Debian Stretch/Buster this ends with the following warning: dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work! The reason is that dropbear no longer generates a default key anymore. Thus, copy your own public key into /etc/dropbear-initramfs/authorized_keys and run update-initramfs -u which should not show the warning above again. Afterwards copy your private key to a client machine. To finally¬† resolve the key-mismatch warnings, let dropbear listen on a different port by changing DROPBEAR_OPTIONS to "-p 2222 -s -j -k -I 30" in /etc/dropbear-initramfs/config. This prevents port forwarding, password logins, and sets an inactivity timeout. Additionally, set IFDOWN=none to keep any network settings. This later lets opensmtpd start cleanly on boot (otherwise it complains not finding its network device to listen on). Run update-initramfs -u to activate these settings for the next reboot.
  • For Debian Jessie copy the newly generated /etc/initramfs-tools/root/.ssh/id_rsa to a client machine.

Add the following on a clients .ssh/config file to avoid key-mismatch errors stemming from entries in known_hosts:

Host debian_unlock
  User root
  Port 22 # or whatever is used for dropbear
  IdentityFile path/to/previously/copied/private_key

To unlock the drives on boot-up ssh debian8_unlock into the system. ps will print the needed cryptsetup command:

# ps
124 root /sbin/dropbear
133 root {cryptroot} /bin/sh /scripts/local-top/cryptroot
138 root /lib/cryptsetup/askpass Please unlock disk sda5_crypt:
139 root /sbin/cryptsetup -T 1 open --type luks /dev/disk/by-uuid/715ac060-2efc-491a-9c96-6898e18c01bd sda5_crypt --key-file=-

Copy the cryptsetup command which will ask for your passphrase and unlocks your drive.

Debian Jessie: The askpass process still prevents booting up (as it is asking on the boot console which nobody sees) so kill -9 that one to continue the boot process.

Debian Buster: Run cryptroot-unlock only, this will ask for the password and continues booting afterwards.