In this guide we will show how you can remotely decrypt a headless Debian or Ubuntu Linux system, that has been encrypted with [LUKS](https://en.wikipedia.org/wiki/LUKS).

### Prerequisites

* A LUKS encrypted Debian jessie or Ubuntu xenial system
* Keyboard and monitor for the initial system setup
* Allow SSH root access on the decrypted system using public key authentication
* Use a different port for ssh (assuming port 4422) on the decrypted system

**NOTE: using a different port than the standard SSH port (22) serves a double purpose. For once, you will not received the scary *WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!* message every time you will try to remotely unlock the system and as an additional bonus you will get less SSH attacks on the active system.**

### Installing *dropbear*

[Dropbear](https://en.wikipedia.org/wiki/Dropbear_(software)) is a lightweight SSH server especially suitable for initial ramdisk (initrd) environments and other lightweight systems.

Install *dropbear:*

“`
# apt -y install dropbear
“`

### Setup public key authentication for dropbear

Create the homedir for the root user and the SSH configuration directory:

“`
# mkdir -p /etc/initramfs-tools/root/.ssh
“`

Append your client SSH pubkey to *authorized_keys*:

“`
# cat ~/.ssh/id_rsa.pub | ssh -p 4422 root@encrypted-system “cat >> /etc/initramfs-tools/root/.ssh/authorized_keys”
“`

### Setup a static IP for the unlock environment

This step is optional but highly recommended if you are setting up a static, permanent service. If you skip this step DHCP will kick in, provided you have a DHCP Server in your environment.

Run this command to update the */etc/initramfs-tools/initramfs.conf* configuration file:

“`
echo IP=10.0.0.67::10.0.0.1:255.255.255.0:encrypted-system:eth0:off >> /etc/initramfs-tools/initramfs.conf
“`

Explanation of the different fields:
`[host_ip]::[gateway_ip]:[netmask]:[hostname]:[device]:[autoconf]`

**NOTE: there are two successive colons (::) after the *host_ip*.**

### Setup the unlock script

Copy the following text in */etc/initramfs-tools/hooks/crypt_unlock.sh*:

“`
#!/bin/sh
#
# By Stinky Parkia
# https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/

PREREQ=”dropbear”

prereqs() {
echo “$PREREQ”
}

case “$1” in
prereqs)
prereqs
exit 0
;;
esac

. “${CONFDIR}/initramfs.conf”
. /usr/share/initramfs-tools/hook-functions

if [ “${DROPBEAR}” != “n” ] && [ -r “/etc/crypttab” ] ; then
cat > “${DESTDIR}/bin/unlock” << EOF #!/bin/sh if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` # following line kill the remote shell right after the passphrase has # been entered. kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\` exit 0 fi exit 1 EOF chmod 755 "${DESTDIR}/bin/unlock" mkdir -p "${DESTDIR}/lib/unlock" cat > “${DESTDIR}/lib/unlock/plymouth” << EOF #!/bin/sh [ "\$1" == "--ping" ] && exit 1 /bin/plymouth "\$@" EOF chmod 755 "${DESTDIR}/lib/unlock/plymouth" echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
fi
“`

Make the script executable:

“`
# chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh
“`

### Apply the configuration

Apply the changes in the initial ramdisk:

“`
# update-initramfs -u
“`

Reboot the system:

“`
# reboot
“`

### Remotely unlock the system

From your client, SSH into the initial ramdisk:

“`
ssh root@encrypted-system
“`

If everything is correct you will be greeted by this MOTD:

“`
To unlock root-partition run unlock

BusyBox v1.22.1 (Ubuntu 1:1.22.0-15ubuntu1) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.
“`

Unlock the system and boot into it:

“`
# unlock
Please unlock disk sda3_crypt:
“`

You will get the following message and you will exit the remote shell if successful:

“`
cryptsetup: sda3_crypt set up successfully
Connection to 10.0.0.67 closed.
“`

You can now login to the active Linux system using the alternative port 4422:

“`
ssh -p 4422 root@encrypted-system
“`

If you can login successfully to your system you can remove the keyboard and monitor and hide your system somewhere where the Sun does not shine :).

Thanks to [Stinky Parkia](https://stinkyparkia.wordpress.com/) for the excellent guide and the brilliant unlock script.

References
———-
* https://stinkyparkia.wordpress.com/2014/10/14/remote-unlocking-luks-encrypted-lvm-using-dropbear-ssh-in-ubuntu-server-14-04-1-with-static-ipst/