In this guide we will show how you can remotely decrypt a headless Debian or Ubuntu Linux system, that has been encrypted with [LUKS](

### Prerequisites

* A LUKS encrypted Debian jessie or Ubuntu xenial system
* Keyboard and monitor for the initial system setup
* Allow SSH root access on the decrypted system using public key authentication
* Use a different port for ssh (assuming port 4422) on the decrypted system

**NOTE: using a different port than the standard SSH port (22) serves a double purpose. For once, you will not received the scary *WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!* message every time you will try to remotely unlock the system and as an additional bonus you will get less SSH attacks on the active system.**

### Installing *dropbear*

[Dropbear]( is a lightweight SSH server especially suitable for initial ramdisk (initrd) environments and other lightweight systems.

Install *dropbear:*

# apt -y install dropbear

### Setup public key authentication for dropbear

Create the homedir for the root user and the SSH configuration directory:

# mkdir -p /etc/initramfs-tools/root/.ssh

Append your client SSH pubkey to *authorized_keys*:

# cat ~/.ssh/ | ssh -p 4422 root@encrypted-system “cat >> /etc/initramfs-tools/root/.ssh/authorized_keys”

### Setup a static IP for the unlock environment

This step is optional but highly recommended if you are setting up a static, permanent service. If you skip this step DHCP will kick in, provided you have a DHCP Server in your environment.

Run this command to update the */etc/initramfs-tools/initramfs.conf* configuration file:

echo IP= >> /etc/initramfs-tools/initramfs.conf

Explanation of the different fields:

**NOTE: there are two successive colons (::) after the *host_ip*.**

### Setup the unlock script

Copy the following text in */etc/initramfs-tools/hooks/*:

# By Stinky Parkia


prereqs() {
echo “$PREREQ”

case “$1” in
exit 0

. “${CONFDIR}/initramfs.conf”
. /usr/share/initramfs-tools/hook-functions

if [ “${DROPBEAR}” != “n” ] && [ -r “/etc/crypttab” ] ; then
cat > “${DESTDIR}/bin/unlock” << EOF #!/bin/sh if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` # following line kill the remote shell right after the passphrase has # been entered. kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\` exit 0 fi exit 1 EOF chmod 755 "${DESTDIR}/bin/unlock" mkdir -p "${DESTDIR}/lib/unlock" cat > “${DESTDIR}/lib/unlock/plymouth” << EOF #!/bin/sh [ "\$1" == "--ping" ] && exit 1 /bin/plymouth "\$@" EOF chmod 755 "${DESTDIR}/lib/unlock/plymouth" echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd

Make the script executable:

# chmod +x /etc/initramfs-tools/hooks/

### Apply the configuration

Apply the changes in the initial ramdisk:

# update-initramfs -u

Reboot the system:

# reboot

### Remotely unlock the system

From your client, SSH into the initial ramdisk:

ssh root@encrypted-system

If everything is correct you will be greeted by this MOTD:

To unlock root-partition run unlock

BusyBox v1.22.1 (Ubuntu 1:1.22.0-15ubuntu1) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

Unlock the system and boot into it:

# unlock
Please unlock disk sda3_crypt:

You will get the following message and you will exit the remote shell if successful:

cryptsetup: sda3_crypt set up successfully
Connection to closed.

You can now login to the active Linux system using the alternative port 4422:

ssh -p 4422 root@encrypted-system

If you can login successfully to your system you can remove the keyboard and monitor and hide your system somewhere where the Sun does not shine :).

Thanks to [Stinky Parkia]( for the excellent guide and the brilliant unlock script.