How to unlock LUKS using Dropbear SSH keys remotely in Linux

On Linux, we encrypt our partitions and entire disk using Linux Unified Key Setup-on-disk-format (LUKS) for security and privacy reasons. We unlock LUKS protected disk by providing a passphrase at boot time. You need to be in front of your computer or use a remote console to open the encrypted disk under Linux at boot time. However, if your system is in the basement, remote datacenter/office, or upstairs office, you won’t able to unlock and boot your Linux box. We can use the Dropbear SSH server for LUKS encrypted Debian or Ubuntu or any other Linux distro via SSH to solve this problem. Let us see how to unlock LUKS using Dropbear SSH keys in Linux at boot time.

server created explicitly for embedded Linux and Unix systems with low resource requirements. It implements version 2 of the Secure Shell (SSH) protocol. It supports RSA and elliptic curve cryptography for key exchange. Dropbear is compatible with OpenSSH ~/.ssh/authorized_keys public key authentication. I am assuming that you already installed Debian or Ubuntu Linux with LVM and LUKS. Here is my set up where I have software RAID-1 too:

  1. /boot/efi – The system boot partition is created when your motherboard runs UEFI rather than BIOS.
  2. /dev/md0 – Linux /boot/ (RAID-1 /dev/md0 mounted into /boot/) directory holds only the files needed during the boot process. The boot loader initialized RAM disk called initrd. We use update-initramfs to hook our Dropbear ssh server into the boot process. Run the ls command to look into /boot/ directory. You will see the files as follows:
    ls -1 /boot/*$(uname -r)*

    vmlinuz is my Linux kernel, and initrd contains Linux drivers, RAID support, Dropbear ssh server, and other stuff to boot the Linux system.
  3. /dev/md1 – My LUKS encrypted system RAID-1 device. It has two LVM members. One for swap and another for the root partition. In other words, all data is encrypted except /boot/efi and /boot/ partition. It is also possible to encrypt /boot/. Remember your security and threat model is different, so you may want to employ additional protection such as BIOS/UEFI password on boot, securing your home/office/datacenter access, enabling FDE as per your needs so on.

My sample set up for remote unlocking of LUKS-encrypted root in Ubuntu/Debian

Run the lsblk command to see the current disks, RAID, encryption and LVM info:
Sample Debian and Ubuntu Setup For Dropbear SSH server to unlock LUKS encrypted system

Sample Debian and Ubuntu Setup For Dropbear SSH server to unlock LUKS encrypted system
We can also use the cat command to identity encrypted partitions:
sudo cat /etc/crypttab
Here is what I see:

md1_crypt UUID=45b8c33e-a710-4062-b98f-a32a45c9d947 none luks,discard

My Linux os version and Linux kernal version in production as follows:
lsb_release -a && uname -mrs
Sample outputs:

No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster
Linux 4.19.0-13-amd64 x86_64

Enough talk. Let us get our hands dirty and see how to decrypt LUKS devices remotely via Dropbear SSH.

Step to unlock LUKS using Dropbear SSH keys in Linux

I will install the Dropbear ssh for my LUKS encrypted Debian 10.x and Ubuntu 20.04 LTS server and enable remote unlocking.

Step 1 – Installing the Dropbear on Debian or Ubuntu

Run the apt command/apt-get command as follows:
## First, apply Debian security patches ##
sudo apt update
sudo apt upgrade
sudo apt install dropbear-initramfs

NOTE: You may see a warning such as “dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!“. Just ignore it.

Step 2 – Configuring the Dropbear to unlock LUKS encrypted system

Use the su command or sudo command to become root user:
sudo -i
Cd into /etc/dropbear-initramfs using the cd command:
cd /etc/dropbear-initramfs
Edit the config file:
# vim config
Edit/Update DROPBEAR_OPTIONS as follows:
DROPBEAR_OPTIONS="-I 180 -j -k -p 2222 -s"
Where options are follows:

  1. -I 180 : Disconnect the session if no traffic is transmitted or received in 180 seconds.
  2. -j : Disable ssh local port forwarding.
  3. -k : Also disable remote port forwarding.
  4. -p 2222 : Listen Dropbear ssh server on specified address and TCP port. If just a port such as 2222 is given listen on all addresses. up to 10 can be specified (default 22 if none specified).
  5. -s : Disable password logins. We are going set up SSH Keys on a Linux / Unix system for authentication to reduce attack surface.

Step 3 – Configuring static IP

For a local Linux server in your basement, you can probably figure out the IP given to Dropbox via your DHCP server, which is the default behavior. However, a remote server in a data center or a cloud needs a public IP address like a normal OpenSSH session. Here is how to set up a public IP address. Edit the /etc/initramfs-tools/initramfs.conf
# vim /etc/initramfs-tools/initramfs.conf
Append staic IP info for your Dropbear ssh during boot time:

  1. IP= – Start static IP config
  2. :: – Field seprator
  3. – IPv4
  4. – Gateway
  5. – Netmask
  6. debian – Hostname

The full syntax is as follows for IPv4 and IPv6 staitc IP settings:

ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>: <dns-server-0-ip>:<dns-server-1-ip>:<ntp0-ip>

Step 4 – Updating or generating an initramfs image

We use the update-initramfs script manages your initramfs images on your local box whenever we make changes to /etc/initramfs-tools/initramfs.conf or /etc/dropbear-initramfs/config:
sudo update-initramfs -u
sudo update-initramfs -u -v

The -u option updates an existing initramfs and the -v option increases the amount of information you are given during the chosen action.

Step 5 – Creating SSH keys for log in

Let us get back to our desktop clients such as macOS, *BSD, or Linux based distro. Open the terminal and then type following command to set up SSH public key based authentication:
{client}$ ssh-keygen -t rsa -f ~/.ssh/intel_nuc_debian
Copy your desktop clien’t public key ~/.ssh/ into /etc/dropbear-initramfs/authorized_keys one key per line:
{client}$ cat ~/.ssh/
If root ssh access enabled, try:
{client}$ cat ~/.ssh/ | ssh root@ "cat >> /etc/dropbear-initramfs/authorized_keys"
For normal user try:
{client}$ scp ~/.ssh/ vivek@
{client}$ ssh vivek@
{server}$ sudo -i
{server}# cat /home/vivek/ >> /etc/dropbear-initramfs/authorized_keys
{server}# rm /home/vivek/
{server}# exit
{server}$ exit

Make sure we update our initrd:
{server}$ sudo update-initramfs -u

Step 6 – Test Linux server when we enable LUKS remote unlocking

So far, so good. We installed Dropbear ssh for initramfs. Configured Dropbear initramfs, including static IP. Installed ssh keys, and it is time to reboot the Linux server:
{server}$ sudo reboot

Unlocking LUKS volumes using ssh

Use the ping command to verify connectivity:
{client}$ ping
Let us log in using the ssh command:
{client}$ ssh -i ~/.ssh/intel_nuc_debian -p 2222 -o "HostKeyAlgorithms ssh-rsa" root@
Unlock it, run:
# cryptroot-unlock

Unlocking LUKS Volumes Without Local Access and using SSH remotlyUnlocking LUKS Volumes Without Local Access and using SSH remotly

Click to enlarge

Summing up

And there you have it, LUKS disk unlocked remotely using ssh with the help of the Dropbear ssh server. You may want to set up OpenSSH Config file to avoid typing long ssh command.

Posted by Contributor