things i pick up along the way

ssh into luks encrypted machines, dropbear, initramfs

Dropbear is a lightweight ssh server that can be embedded into minimal boot environments.

Initramfs (Initial RAM FIlesystem) is a temporary root filesystem loaded into memory during early boot. It’s there to prepare everything needed to mount the actual root. So things like kernel modules, assembling RAID arrays or prompting for LUKS passphrases.

We can use these in combination to SSH into a machine at boot time in order to unlock our server.

Setup:

apt install dropbear-initramfs

add your public key to:
/etc/dropbear/initramfs/authorized_keys

Rebuild initramfs:
sudo update-initramfs -u

This will build an initramfs image by collecting files from my running system and packing them in a compressed archive into /boot.

Boot Sequence:

  1. Kernel + initramfs load
  2. Initramfs brings up networking and starts Dropbear
  3. SSH in with key
  4. Run cryptroot-unlock and put in your passphrase
  5. Volume unlocks, Dropbear shuts down, boot continues automatically