Unlocking a LUKS-encrypted partition via ssh on Debian 12 Bookworm

I’ve written before - for Debian 10 and 11, and for RaspberryPi OS - about remotely unlocking a LUKS-encrypted partition via ssh.

The principles are the same on Debian Bookworm, but the path of some of the dropbear-initramfs config has changed.

This is what is working for me:

On the local machine

Generate the ssh key pair on your local machine:

ssh-keygen -f $HOME/.ssh/whatever-you-want-to-call-the-key

Later on, you’ll need the content of the public key (the one ending in .pub) and the path to your public key.

On the remote machine

I’m assuming here that you’ve already got Debian 12 Bookworm installed, with the encrypted LVM option - the Debian Bookworm RC2 installer worked just fine for this for me - so you’ve already got LUKS set up.

Run the following as root.

Install dropbear-initramfs

apt update && apt install dropbear-initramfs -y

As before, ignore:

dropbear: WARNING: Invalid authorized_keys file, SSH login to initramfs won’t work!

Copy the cryptroot-unlock binary to /bin

cp /usr/share/initramfs-tools/hooks/cryptroot-unlock /bin

Set your options for dropbear

echo 'DROPBEAR_OPTIONS="-RFEsjk -p 2222 -c /bin/cryptroot-unlock"' >> /etc/dropbear/initramfs/dropbear.conf

(This means that it listens on port 2222, as opposed to the usual 22 for ssh. So in your local machine’s $HOME/.ssh/config file, you can have one entry set up for LUKS unlock on port 2222, and another for normal ssh`ing into the box on port 22.)

Add the public key to dropbear

Use the public key you generate with ssh-keygen in the first stop. (It’s the one ending .pub; the other is the private key.)

echo 'PASTE-YOUR-PUBLIC-KEY-HERE' > /etc/dropbear/initramfs/authorized_keys

Configure grub and initramfs to use dhcp to get an IP address

I can’t swear that both of these are needed, but so far I have been using both, and it works with both. You might get away with only one, but I don’t know.


Find the name of your ethernet interface, or whatever interface you’ll be using for the connection over which you want to do the remote unlocking. On the machines on which I tested this, the interface is eno1.

Edit /etc/default/grub and replace the line GRUB_CMDLINE_LINUX_DEFAULT with:

GRUB_CMDLINE_LINUX_DEFAULT="quiet ip=:::::eno1:dhcp"

(Replace eno0 with the name of your interface.)

Then update grub:



echo 'IP="dhcp"' >> /etc/initramfs-tools/initramfs.conf

update-initramfs -k all -u

Reboot and hope

Reboot the machine (e.g. systemctl reboot), cross your fingers, and hopefully you’ll be able to log in via ssh, as root (not your normal user) on port 2222, to unlock the LUKS partition, with something like:

ssh root@ip_address -o IdentitiesOnly=yes -i ~/.ssh/public_key -p 2222

(Replace ip_address and public_key with your remote machine’s IP address, and the name / path of the public key you generated earlier.)


I had some helpful feedback from Ben, who followed this guide. He said:

I deviated from your guide slightly - I didn’t copy the cryptroot-unlock script to /bin and just gave the final Dropbear option as “-c cryptroot-unlock” which worked.

Also only did dhcp through initramfs (not grub)