SSH Key Setup
articwake uses SSH public key authentication to connect to your server’s dropbear initrd. This guide covers generating and installing the required keys.
Generate a Key Pair
Section titled “Generate a Key Pair”ssh-keygen -t ed25519 -f articwake-key -N ""This creates:
articwake-key- Private key (keep secret, goes on articwake Pi)articwake-key.pub- Public key (goes on your server’s initrd)
Why Ed25519?
Section titled “Why Ed25519?”- Smaller keys (better for embedded systems)
- Fast operations
- Strong security
- Well-supported by dropbear
Install the Public Key on Your Server
Section titled “Install the Public Key on Your Server”Add the public key to your server’s dropbear authorized_keys:
# On your servercat articwake-key.pub >> /etc/dropbear/initramfs/authorized_keysThen rebuild the initramfs:
sudo update-initramfs -uInstall the Private Key on articwake
Section titled “Install the Private Key on articwake”SD Card Image
Section titled “SD Card Image”Copy the private key to the SD card before first boot:
sudo cp articwake-key /mnt/articwake/ssh_keysudo chmod 600 /mnt/articwake/ssh_keyManual Installation
Section titled “Manual Installation”Copy to the configured path:
# Default pathsudo cp articwake-key /etc/secrets/articwake-keysudo chmod 600 /etc/secrets/articwake-keysudo chown root:root /etc/secrets/articwake-key
# Or set custom path via environmentexport ARTICWAKE_SSH_KEY_PATH="/path/to/your/key"Key Permissions
Section titled “Key Permissions”The private key must have strict permissions:
chmod 600 /path/to/articwake-keyarticwake will fail to start if the key file is readable by others.
Testing the Key
Section titled “Testing the Key”Before relying on articwake, test SSH manually:
# Boot your server to initrd (don't unlock yet)# Then from your workstation:
ssh -p 2222 -i articwake-key root@server-ipIf you see the unlock prompt, your key is working.
Multiple Keys
Section titled “Multiple Keys”You can authorize multiple keys in dropbear for backup access:
# On your server, add all public keyscat key1.pub key2.pub key3.pub >> /etc/dropbear/initramfs/authorized_keyssudo update-initramfs -uKey Rotation
Section titled “Key Rotation”To rotate the articwake key:
-
Generate a new key pair:
Terminal window ssh-keygen -t ed25519 -f articwake-key-new -N "" -
Add the new public key to your server:
Terminal window cat articwake-key-new.pub >> /etc/dropbear/initramfs/authorized_keyssudo update-initramfs -u -
Test the new key works
-
Update articwake with the new private key:
Terminal window # SSH into the Pissh root@articwake-ip# Replace the keycat > /etc/secrets/articwake-key << 'EOF'-----BEGIN OPENSSH PRIVATE KEY-----...-----END OPENSSH PRIVATE KEY-----EOFchmod 600 /etc/secrets/articwake-key -
Remove the old public key from your server:
Terminal window # Edit and remove the old key linenano /etc/dropbear/initramfs/authorized_keyssudo update-initramfs -u
Troubleshooting
Section titled “Troubleshooting”Permission denied
Section titled “Permission denied”Permission denied (publickey)- Verify public key is in
/etc/dropbear/initramfs/authorized_keys - Rebuild initramfs:
update-initramfs -u - Check private key permissions:
chmod 600 articwake-key
Key format issues
Section titled “Key format issues”Dropbear supports OpenSSH key format. If you have issues:
# Convert to dropbear format (usually not needed)dropbearconvert openssh dropbear articwake-key articwake-key.dropbearWrong key configured
Section titled “Wrong key configured”Check the key path in articwake config:
echo $ARTICWAKE_SSH_KEY_PATH# Should match where you placed the keyKey not found
Section titled “Key not found”Failed to read SSH key: No such file or directoryVerify the key exists at the configured path and articwake has permission to read it.