I’ve written before - for Debian 10 and 11, and for RaspberryPi OS - about remotely unlocking a LUKS-encrypted partition via ssh.
The principles are the same on Debian Bookworm, but the path of some of the dropbear-initramfs config has changed.
This is what is working for me:
On the local machine
Generate the ssh key pair on your local machine:
ssh-keygen -f $HOME/.ssh/whatever-you-want-to-call-the-key
Later on, you’ll need the content of the public key (the one ending in .pub) and the path to your public key.
On the remote machine
I’m assuming here that you’ve already got Debian 12 Bookworm installed, with the encrypted LVM option - the Debian Bookworm RC2 installer worked just fine for this for me - so you’ve already got LUKS set up.
Run the following as root.
apt update && apt install dropbear-initramfs -y
As before, ignore:
dropbear: WARNING: Invalid authorized_keys file, SSH login to initramfs won’t work!
cryptroot-unlock binary to
cp /usr/share/initramfs-tools/hooks/cryptroot-unlock /bin
Set your options for
echo 'DROPBEAR_OPTIONS="-RFEsjk -p 2222 -c /bin/cryptroot-unlock"' >> /etc/dropbear/initramfs/dropbear.conf
(This means that it listens on port 2222, as opposed to the usual 22 for ssh. So in your local machine’s
$HOME/.ssh/config file, you can have one entry set up for LUKS unlock on port 2222, and another for normal ssh`ing into the box on port 22.)
Add the public key to
Use the public key you generate with
ssh-keygen in the first stop. (It’s the one ending .pub; the other is the private key.)
echo 'PASTE-YOUR-PUBLIC-KEY-HERE' > /etc/dropbear/initramfs/authorized_keys
Configure grub and initramfs to use dhcp to get an IP address
I can’t swear that both of these are needed, but so far I have been using both, and it works with both. You might get away with only one, but I don’t know.
Find the name of your ethernet interface, or whatever interface you’ll be using for the connection over which you want to do the remote unlocking. On the machines on which I tested this, the interface is
/etc/default/grub and replace the line
eno0 with the name of your interface.)
Then update grub:
echo 'IP="dhcp"' >> /etc/initramfs-tools/initramfs.conf update-initramfs -k all -u
Reboot and hope
Reboot the machine (e.g.
systemctl reboot), cross your fingers, and hopefully you’ll be able to log in via ssh, as root (not your normal user) on port 2222, to unlock the LUKS partition, with something like:
ssh root@ip_address -o IdentitiesOnly=yes -i ~/.ssh/public_key -p 2222
public_key with your remote machine’s IP address, and the name / path of the public key you generated earlier.)
I had some helpful feedback from Ben, who followed this guide. He said:
I deviated from your guide slightly - I didn’t copy the cryptroot-unlock script to /bin and just gave the final Dropbear option as “-c cryptroot-unlock” which worked.
Also only did dhcp through initramfs (not grub)