TechSomething

Debian 9 and 10 unlock luks root at boot via ssh

based on: https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/

apt-get install -yy dropbear-initramfs cryptsetup-initramfs lvm2

add your keys to: /etc/dropbear-initramfs/authorized_keys

nano /etc/dropbear-initramfs/authorized_keys

add your network interface config to: /etc/initramfs-tools/initramfs.conf

nano /etc/initramfs-tools/initramfs.conf
DEVICE=eth0
IP=192.168.0.10::192.168.0.1:255.255.255.0:your-hostname:eth0:off

to automatically call the script to unlock your disk upon entering dropbear add the line to this file:
(source: https://www.arminpech.de/2019/12/23/debian-unlock-luks-root-partition-remotely-by-ssh-using-dropbear/)

nano /etc/dropbear-initramfs/config
DROPBEAR_OPTIONS="-RFEsjk -c /bin/cryptroot-unlock"

and finally update initramfs:

update-initramfs -k all -u

END #

NOTES for particular cases: #

device drivers: #

sometimes, in case you are using exotic net drivers, you'll need to add your device modules to initram modules:

echo $(while read m _; do \
/sbin/modinfo -F filename "$m"; done </proc/modules |sed -nr \
"s@^/lib/modules/`uname -r`/kernel/drivers/net(/.*)?/([^/]+)\.ko\$@\2@p")   >> /etc/initramfs-tools/modules

then edit /etc/initramfs-tools/modules since the modules will be on the same line:

tap r8169 realtek

to

tap
r8169
realtek

after upgrading, dropbear's net won't work anymore: #

I had this problem on a specific system: a Proxmox based debian 10 updated to 11 (and proxmox 6.4 to 7.2).
After the update I could not unlock the machine remotely, after a lot of debugging I've settled on this "fix":
changing the ip address....

I've always used the same IP address for unlocking via dropbear and for the system,
but for some obscure reason this isn't working anymore.

so the system for example will have 192.168.0.10 and the dropbear unlock ip: 192.168.0.11

To add obscurity to this issue, I have another machine that is working perfectly with the same ip on os & dropbear.

This behaviour is confirmed also after change subnet to the server.

I have no idea why.


OLD GUIDE:
until mid 2020 I've used this script to unlock the disk:

to automatically unlock the disk with the command "unlock" add this file:

nano /etc/initramfs-tools/hooks/crypt_unlock.sh
#!/bin/sh
#
# By Stinky Parkia
# https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/

PREREQ="dropbear"

prereqs() {
echo "$PREREQ"
}

case "$1" in
prereqs)
prereqs
exit 0
;;
esac

. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions

if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
cat > "${DESTDIR}/bin/unlock" << EOF
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
# following line kill the remote shell right after the passphrase has
# been entered.
kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\`
exit 0
fi
exit 1
EOF


chmod 755 "${DESTDIR}/bin/unlock"

mkdir -p "${DESTDIR}/lib/unlock"
cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
#!/bin/sh
[ "\$1" == "--ping" ] && exit 1
/bin/plymouth "\$@"
EOF


chmod 755 "${DESTDIR}/lib/unlock/plymouth"

echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
fi