Remote unlocking LUKS encrypted LVM

Install dropbear on server

sudo apt-get install dropbear

Generate an SSH key pair on the client system (the one which will be used to unlock the remote machine)

Stop dropbear from starting on normal boot on Server

sudo update-rc.d -f dropbear remove

Auto start dropbear

sudo sed -i -e 's/NO_START=0/NO_START=1/' /etc/default/dropbear

Remove the keys it created

sudo rm /etc/initramfs-tools/root/.ssh/id_rsa.*
sudo rm -f /etc/dropbear/dropbear_{rsa,dss,ecdsa}_host_key

Copy back the host key back to initramfs so ssh clients are not confused

sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key

Remove the OpenSSH ECDSA key

sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/initramfs-tools/etc/dropbear/dropbear_ecdsa_host_key
sudo /usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key

Insert your SSH public key (.pub) into the remote machine’s /etc/dropbear/root_key

ssh-copy-id username@remote-server -p port

Execute the following command on the remote system

sudo cat /home/username/.ssh/authorized_keys > /etc/dropbear/root_key

Allow user’s ssh key to ssh into boot

sudo cp ~/.ssh/authorized_keys /etc/initramfs-tools/root/.ssh/

Create the unlock script

sudo nano /etc/initramfs-tools/hooks/


prereqs() {
echo "$PREREQ"
case "$1" in
exit 0
. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions
if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
cat > "${DESTDIR}/bin/unlock" << EOF #!/bin/sh if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` # following line kill the remote shell right after the passphrase has # been entered. kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\` exit 0 fi exit 1 EOF chmod 755 "${DESTDIR}/bin/unlock" mkdir -p "${DESTDIR}/lib/unlock" cat > "${DESTDIR}/lib/unlock/plymouth" << EOF #!/bin/sh [ "\$1" == "--ping" ] && exit 1 /bin/plymouth "\$@" EOF chmod 755 "${DESTDIR}/lib/unlock/plymouth" echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
sudo chmod +x /etc/initramfs-tools/hooks/

Update the initramfs boot partition

sudo update-initramfs -u

Set a Static IP on boot

sudo nano /etc/default/grub

Edit this line

sudo update-grub

Connect to remote server

ssh root@server_ip



You will be disconnected and you have to login back using your original ssh service.


Categories: Debian, Encryption, Security Tags: , , ,
%d bloggers like this: