Remote LUKS Unlock via SSH with Dropbear

LUKS (Linux Unified Key Setup) is the standard for disk encryption on Linux. When Full Disk Encryption (FDE) is enabled, the disk must be unlocked during system boot – usually only possible locally via keyboard and monitor.

In this guide, we’ll show you how to remotely unlock your system via SSH – even before the operating system is fully loaded. Ideal for root servers or headless systems.

Requirements

  • Debian-/Ubuntu-based server with LUKS
  • Root access
  • SSH RSA key (2048 or 4096 bits – no ed25519!)
  • Optional: static IP or DHCP

Step 1: Install Dropbear

Run the following commands:

sudo apt update
sudo apt install dropbear-initramfs

You can ignore the warning about the authorized_keys file.

Step 2: Add SSH Key

sudo nano /etc/dropbear-initramfs/authorized_keys

Paste your RSA public key (from ~/.ssh/id_rsa.pub) into this file and save it.

Step 3: Configure Dropbear

sudo nano /etc/dropbear-initramfs/config

Modify this line:

DROPBEAR_OPTIONS="-I 300 -j -k -p 2222 -s"

Optional – to auto-unlock LUKS immediately after login:

DROPBEAR_OPTIONS="-I 300 -j -k -p 2222 -s -c cryptroot-unlock"

Step 4: Configure Network

Static IPv4 (optional):

sudo nano /etc/initramfs-tools/initramfs.conf
IP=10.0.0.5::10.0.0.1:255.255.255.0:myserver

IPv6 support:

wget -O /etc/initramfs-tools/hooks/ipv6 <URL>
wget -O /etc/initramfs-tools/scripts/init-premount/ipv6 <URL>
chmod +x /etc/initramfs-tools/{hooks,scripts/init-premount}/ipv6

Adjust GRUB:

sudo nano /etc/default/grub
GRUB_CMDLINE_LINUX="ipv6=addr=2a07:e00::333/64,gw=fe80::1,iface=ens18,forwarding=0,accept_ra=0"

Step 5: Apply Changes

sudo update-initramfs -u
sudo update-grub

Step 6: Reboot & Test SSH Access

sudo reboot

Then connect with:

ssh -p 2222 [email protected]

Or via IPv6:

ssh -p 2222 root@2a07:e00::333

If you get this error:

Permission denied (publickey)

Try connecting like this:

ssh -o PubkeyAcceptedAlgorithms=+ssh-rsa -p 2222 [email protected]

Manual Unlock

If you end up in BusyBox:

cryptroot-unlock

Then enter your LUKS password. The system will continue booting.

Conclusion

With Dropbear integrated into initramfs, you can remotely unlock your encrypted Linux system — without needing physical access or a console.

FastLayer

Our VPS and dedicated servers support Full Disk Encryption right from the installation — optionally with preconfigured Dropbear SSH unlocking.

Order your server now: https://fastlayer.eu

War diese Antwort hilfreich? 3 Benutzer fanden dies hilfreich (3 Stimmen)

Populärste

Set Up a Firewall on Linux (UFW & IPTables)

Set Up a Firewall on Linux (UFW & IPTables) | FastLayer A firewall is an essential part of...
Basic Protection for Linux Servers

Basic Protection for Linux Servers – FastLayer Security Guide This guide provides essential...
Install SSL with Let's Encrypt / Certbot

Install SSL with Let's Encrypt / Certbot This guide helps you configure HTTPS using free Certbot...
Configure a Firewall with UFW (Linux)

Configure a Firewall with UFW (Linux) A firewall is essential to block unauthorized access to...
Securing SSH with Key-Based Authentication

Securing SSH with Key-Based Authentication Protecting SSH access is critical for server...