Debian 9-12 unlock luks root at boot via ssh

based on: https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/

updated for debian 12 (2024-12-04) #

NB: in an upgrade from 11 to 12 if you tell the installer not to overwrite your configfiles averything will be moved to the new file names and work correctly out-of-the-box

apt install -yy dropbear-initramfs cryptsetup-initramfs lvm2

add your keys to: /etc/dropbear/initramfs/authorized_keys

nano /etc/dropbear/initramfs/authorized_keys

add your network interface config to: /etc/initramfs-tools/initramfs.conf

nano /etc/initramfs-tools/initramfs.conf

DEVICE=eth0
IP=192.168.0.10::192.168.0.1:255.255.255.0:your-hostname:eth0:off

to automatically call the script to unlock your disk upon entering dropbear add the line to this file:
(source: https://www.arminpech.de/2019/12/23/debian-unlock-luks-root-partition-remotely-by-ssh-using-dropbear/)

nano /etc/dropbear/initramfs/dropbear.conf

DROPBEAR_OPTIONS="-RFEsjk -c /bin/cryptroot-unlock"

and finally update initramfs:

update-initramfs -k all -u

old versions (up to debian 11) #

apt-get install -yy dropbear-initramfs cryptsetup-initramfs lvm2

add your keys to: /etc/dropbear-initramfs/authorized_keys

nano /etc/dropbear-initramfs/authorized_keys

add your network interface config to: /etc/initramfs-tools/initramfs.conf

nano /etc/initramfs-tools/initramfs.conf

DEVICE=eth0
IP=192.168.0.10::192.168.0.1:255.255.255.0:your-hostname:eth0:off

to automatically call the script to unlock your disk upon entering dropbear add the line to this file:
(source: https://www.arminpech.de/2019/12/23/debian-unlock-luks-root-partition-remotely-by-ssh-using-dropbear/)

nano /etc/dropbear-initramfs/config

DROPBEAR_OPTIONS="-RFEsjk -c /bin/cryptroot-unlock"

and finally update initramfs:

update-initramfs -k all -u

END #

NOTES for particular cases: #

device drivers: #

sometimes, in case you are using exotic net drivers, you'll need to add your device modules to initram modules:

echo $(while read m _; do \
/sbin/modinfo -F filename "$m"; done </proc/modules |sed -nr \
"s@^/lib/modules/`uname -r`/kernel/drivers/net(/.*)?/([^/]+)\.ko\$@\2@p")   >> /etc/initramfs-tools/modules

then edit /etc/initramfs-tools/modules since the modules will be on the same line:

tap r8169 realtek

to

tap
r8169
realtek

after upgrading, dropbear's net won't work anymore: #

I had this problem on a specific system: a Proxmox based debian 10 updated to 11 (and proxmox 6.4 to 7.2).
After the update I could not unlock the machine remotely, after a lot of debugging I've settled on this "fix":
changing the ip address....

I've always used the same IP address for unlocking via dropbear and for the system,
but for some obscure reason this isn't working anymore.

so the system for example will have 192.168.0.10 and the dropbear unlock ip: 192.168.0.11

To add obscurity to this issue, I have another machine that is working perfectly with the same ip on os & dropbear.

This behaviour is confirmed also after change subnet to the server.

I have no idea why.

OLD GUIDE:
until mid 2020 I've used this script to unlock the disk:

to automatically unlock the disk with the command "unlock" add this file:

nano /etc/initramfs-tools/hooks/crypt_unlock.sh

#!/bin/sh
#
# By Stinky Parkia
# https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/

PREREQ="dropbear"

prereqs() {
    echo "$PREREQ"
}

case "$1" in
    prereqs)
    prereqs
    exit 0
    ;;
esac

. "${CONFDIR}/initramfs.conf"
. /usr/share/initramfs-tools/hook-functions

if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
    cat > "${DESTDIR}/bin/unlock" << EOF
#!/bin/sh
if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
    kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
    # following line kill the remote shell right after the passphrase has
    # been entered.
    kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\`
    exit 0
fi
exit 1
EOF

    chmod 755 "${DESTDIR}/bin/unlock"

    mkdir -p "${DESTDIR}/lib/unlock"
    cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
#!/bin/sh
[ "\$1" == "--ping" ] && exit 1
/bin/plymouth "\$@"
EOF

    chmod 755 "${DESTDIR}/lib/unlock/plymouth"

    echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
fi

• Next: Surface Go Dual Boot Secureboot
• Previous: Debian 10 Buster various problems