LUKS with Dropbear

LUKS (Linux Unified Key Setup) provides full-disk encryption. Dropbear is a lightweight SSH server that can run in the initrd to allow remote unlocking.

Overview

The setup works as follows:

Server boots with encrypted root filesystem
initrd loads with dropbear SSH server
You connect via SSH and enter the LUKS passphrase
Disk unlocks and boot continues normally

Prerequisites

Debian/Ubuntu (other distros have similar packages)
LUKS-encrypted root partition
Static IP or DHCP during boot

Installation

Install packages

sudo apt install dropbear-initramfs cryptsetup-initramfs

Configure dropbear

Edit /etc/dropbear/initramfs/dropbear.conf:

# Use a non-standard port to avoid conflicts with main SSH
DROPBEAR_OPTIONS="-p 2222 -s -j -k"

Options explained:

-p 2222 - Listen on port 2222
-s - Disable password login (key only)
-j - Disable local port forwarding
-k - Disable remote port forwarding

Add SSH public key

# Add your articwake public key
cat articwake-key.pub >> /etc/dropbear/initramfs/authorized_keys

Configure network in initrd

Edit /etc/initramfs-tools/initramfs.conf:

# For DHCP
IP=dhcp

# Or for static IP
# IP=192.168.1.100::192.168.1.1:255.255.255.0:hostname:eth0:off

Format for static: IP=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>

Rebuild initramfs

sudo update-initramfs -u

Unlocking Process

Manual unlock

# Connect to dropbear
ssh -p 2222 -i articwake-key root@server-ip

# The unlock prompt appears automatically
# Enter your LUKS passphrase

How cryptsetup-askpass works

The cryptsetup-askpass utility in initrd:

Waits for input on stdin
Passes it to cryptsetup to unlock the disk
Signals the boot process to continue

This is what articwake connects to and sends the passphrase.

Multiple Encrypted Disks

If you have multiple LUKS volumes, you may need to unlock them all:

# Check which devices need unlocking
cat /etc/crypttab

The cryptsetup-askpass utility handles this automatically if configured correctly.

Testing

Before rebooting

Verify the initrd contains dropbear:

lsinitramfs /boot/initrd.img-$(uname -r) | grep dropbear

Should show dropbear binaries and config.

After rebooting

Reboot the server
Wait for it to reach initrd (check DHCP leases or known IP)

SSH in:

ssh -p 2222 -i articwake-key root@server-ip

Enter passphrase when prompted
Server should continue booting

Troubleshooting

Can’t connect to dropbear

Network not up: Check if IP is assigned
- Verify /etc/initramfs-tools/initramfs.conf network config
- Rebuild initramfs: update-initramfs -u
Wrong port: Verify dropbear port in config
Terminal window
```
grep DROPBEAR /etc/dropbear/initramfs/dropbear.conf
```
Firewall: initrd usually has no firewall, but check your network

Key rejected

Verify public key is in /etc/dropbear/initramfs/authorized_keys
Rebuild initramfs after adding key
Dropbear uses its own key format - Ed25519 works but ensure correct format

Passphrase not accepted

Test locally first with cryptsetup open
Verify correct LUKS slot has your passphrase
Check keyboard layout issues (initrd may use US layout)

Boot continues without unlock

Check /etc/crypttab has correct device and options:

root_crypt UUID=xxxx-xxxx-xxxx none luks

Security Considerations

Use a dedicated SSH key for initrd unlock
The initrd SSH key is separate from your main system
Dropbear regenerates host keys on each boot
articwake is configured to accept any host key for this reason