Blog about software development


LUKS with SSH unlock

15 Jan 2022 - by 'Maurits van der Schee'

I feel that using full disk encryption of servers is a must. Not to protect against attacks with physical access (to the unencrypted boot loader or unprotected BIOS), but to avoid leaking data when a disk or computer is either stolen or replaced. But what do you do when you need to reboot your server and have no console access to enter the passphrase? This post will explain how to run a simple SSH server during the boot process to allow remote unlocking of the encrypted root partition.

Installing and configuring the SSH server

Install the "dropbear" SSH server into the initial ram file system with:

sudo apt install dropbear-initramfs

You are expected to see the message:

dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!

You now need to add your public key to the initramfs:

sudo nano /etc/dropbear-initramfs/authorized_keys

Also edit "/etc/dropbear-initramfs/config" using

sudo nano /etc/dropbear-initramfs/config

And change "DROPBEAR_OPTIONS" to:

DROPBEAR_OPTIONS="-I 300 -j -k -p 2222 -s"

Which sets the disconnect timeout to 300 seconds, disables local and remote port forwarding, sets the listening port to 2222 and disables password logins.

Unless you use DHCP you need to change "/etc/initramfs-tools/initramfs.conf" to set your IP configuration, change "IP" to:


This will set your IP address to, your gateway to, your netmask to and your hostname to "bastion".

Save the altered files and in order to rebuild the initial ram file system use the following command:

sudo update-initramfs -u

This will take several seconds on a fast machine.

Connect over the Internet

Since we have the SSH server listening on port 2222 you need to forward port 2222 to the server (if you want to unlock over the Internet). You need to connect from to your server (during the unlocking phase) using the following command:

ssh root@ -p 2222

You may want to replace with your public IP address or hostname. After connecting run:


This will allow you to enter a passphrase to unlock your root partition and continue the boot process.

The boot process explained

When using LUKS you need an unencrypted partition (boot partition) to read the initial ram file system (initrd) and kernel image (vmlinuz) from. This will show the screen in which a passphrase for decryption of the encrypted disk is asked. This two-staged boot process can be altered to do other things as well. In today's post I have shown how to add a simple SSH server and in another post I will show how to scan USB drives for a keyfile.

Avoid leaking data in case of hardware theft

In security the exercise of trying to identify security risks and rank them based on their damage and likeliness is called "threat modelling". In many situations with on-premise servers a large risk with considerable damage is hardware theft. Full disk encryption will protect you against leaking data in this relative likely event, reducing the damages considerably.


PS: Liked this article? Please share it on Facebook, Twitter or LinkedIn.