Remotely Unlock Fully Encrypted Debian Squeeze

Author: Stephan Jau
Revision: v1.0
Last Change: April 14, 2012


In the past I have written several howtos for remotely unlocking fully encrypted Debian installations. With the advent of Debian Squeeze, the developers have integrated a simple way to do so. Most stuff is provided directly by Debian itself - meaning you don't need 3rd party scripts anymore. However it still involves a few steps which I describe below. Also I provide you with a bash script that will do all the steps automatically.

I recommend to test the individual steps and the script first in a VM to see how it goes.


1. Install Necessary Packages

apt-get install dropbear busybox


2. Edit /etc/initramfs-tools/initramfs.conf

Set the following parameters to the values below:


Of course select your appropriate network device on which you want to connect to and set your according IP address, gateway and subnet mask. Those settings will only have an effect during reboot to reach the dropbear ssh server. If your machine usually uses IP address you can still set it to The .99 address will then only be available for remote unlocking. Once it's unlocked and the normal boot process continues, it will use the real address then. However I prefer to always use the same IP address.


3. Create Host Keys In /etc/initramfs-tools/etc/dropbear/

Upon installation of dropbear it should have created according host keys. However to make sure that they really exist, we're going to remove the existing ones and recreate them.

rm /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
rm /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
dropbearkey -t dss -f /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
dropbearkey -t rsa -f /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key


4. Create Private And Public Keys

For authenticating with dropbear, we'll create a new pair of private and public keys. So they don't mix up with the ones available when the system is booted.

rm -Rf /etc/initramfs-tools/root/.ssh
mkdir -p /etc/initramfs-tools/root/.ssh
mkdir -p /root/reboot
dropbearkey -t rsa -f /root/reboot/reboot_rsa.dropbear
/usr/lib/dropbear/dropbearconvert dropbear openssh /root/reboot/reboot_rsa.dropbear /root/reboot/reboot_rsa
dropbearkey -y -f /root/reboot/reboot_rsa.dropbear | grep "^ssh-rsa " > /root/reboot/
cat /root/reboot/ >> /etc/initramfs-tools/root/.ssh/authorized_keys

In this example you can see that I named them "reboo". You can chose any name for them, you'll just have to be sure to alter everything accordingly. In the provided bash script, you can set a prefix to name them to your wishes. I suggest to use the hostname as prefix so you know what keypair belongs to which machine.


5. Update initramfs

update-initramfs -u


6. SCP The Private Key To Local Machine

On your local machine, not the encrypted remote machine, run the following command:

scp root@REMOTE:/root/reboot/reboot_rsa ~/.ssh/

That will copy the previously generated private key to your local machine. You need the private key to unlock the remote machine upon reboot.


7. Create Unlock Script On Local Machine

Create a local shell script file with the following content. Of course replace YOURENCRYPTIONPASSWORD with the actual password to unlock the remote machine.

ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.reboot" -i ~/.ssh/reboot_rsa root@REMOTE "echo -ne \"YOURENCRYPTIONPASSWORD\" >/lib/cryptsetup/passfifo"


8. Test It

Now you have the REMOTE encrypted machine prepared, you have stored the private key on your local machine and you created a little script to login into the remote machine and provide the LUKS password to it.

Reboot now your remote encrypted machine and when it asks for the encryption password, just run that script created in step 7 on your local machine.

To read more about it, you can find the info in the /usr/share/doc/cryptsetup/README.remote.gz file.


Bash Script

As mentioned at the beginning, I also provide you with a bash script that does all the steps. Simply download the attached bash script, put it onto your encrypted Debian, edit the top part and set your prefix, network device and network settings. Save it, make it executable and run it as root.

Bash script: debian_crypto

Share this page:

2 Comment(s)

Add comment


From: Niklas

Great tutorial, remember that certain characters in your password might need to be escaped as well. Took me some time to figure out ;-)

From: Niklas

Tutorial is still great ;-)

Debian changed the naming convention of its interfaces. If your network does not work, try replacing "eth0" with something like "enp2s0" in /etc/initramfs-tools/initramfs.conf