Unlock a LUKS partition via SSH
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Unlock LUKS Partition with SSH

Below instructions are for booting your SERVER by connecting and unlocking the encrypted partition via your CLIENT over SSH:

WARNING: Typing your crypto key over network might be secure (due to the secure nature of the SSH connection) as long as you are completely certain that the initramfs has not been subjugated so that there is no MITM attack taking place while you are typing your disk passphrase.

1. Install mandatory packages (on SERVER)

apt-get install dropbear initramfs-tools busybox

Check that Dropbear has disabled itself in /etc/default/dropbear


2. Append your desired public keys into the SERVER's authorized_keys file

Just copy and paste your public key(s) into /etc/dropbear-initramfs/authorized_keys on SERVER

3. Create the unlock script

Create the following script as /etc/initramfs-tools/hooks/crypt_unlock.sh



prereqs() {
  echo "$PREREQ"

case "$1" in
    exit 0

. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions

if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
cat > "${DESTDIR}/bin/unlock" << EOF
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
# following lines will be executed after the passphrase has been correctly entered
# kill the remote shell
kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\`
exit 0
exit 1
  chmod 755 "${DESTDIR}/bin/unlock"
  mkdir -p "${DESTDIR}/lib/unlock"
cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
[ "\$1" == "--ping" ] && exit 1
/bin/plymouth "\$@"
  chmod 755 "${DESTDIR}/lib/unlock/plymouth"
  echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd

Make it executable:

chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh

Create the cleanup script as /etc/initramfs-tools/scripts/init-bottom/cleanup.sh:

echo "Killing dropbear"
killall dropbear
exit 0

...and make it executable:

chmod +x /etc/initramfs-tools/scripts/init-bottom/cleanup.sh

4. Create a static IP (or skip this step to use DHCP)

Edit /etc/initramfs-tools/initramfs.conf to add (or change) the line:



([hostname] can be omitted)

In newer kernels eth0 is renamed to enp0s3 (or something like that). Check that out with ls /sys/class/net

5. Update initramfs

WARNING: Be careful if you directly edited /boot/grub/grub.cfg, since it will be overwritten by below command. You may end up with a broken boot sequence. See the important note.

update-initramfs -u

6. Test

  1. Reboot your server
  2. Connect to your server via ssh root@ [-i ~/.ssh/id_rsa]

Advanced configuration

Create a Reverse Tunnel

You may want your SERVER to connect your Link Up Server with SSH, create a reverse tunnel to its SSH Server, so you can connect your SERVER over your Link Up Server, which eliminates the need for firewall forwarding for above process.

(see reverse-tunnel-setup.md)

Run Dropbear on additional ports

(based on https://askubuntu.com/a/840067/371730)

  1. Define extra ports:

    --- /usr/share/initramfs-tools/scripts/init-premount/dropbear	2018-09-22 01:55:50.963967412 +0300
    +++ /usr/share/initramfs-tools/scripts/init-premount/dropbear	2018-09-22 01:56:04.091945164 +0300
    @@ -26,7 +26,7 @@
    -    exec /sbin/dropbear $DROPBEAR_OPTIONS -Fs
    +    exec /sbin/dropbear $DROPBEAR_OPTIONS -Fs -p 22 -p 80
  2. Update initramfs:

    update-initramfs -u