this post was submitted on 26 Oct 2025

42 points (97.7% liked)

Linux

62803 readers

112 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

[DONE] LUKS decrypt at boot over SSH! (lemmy.world)

submitted 3 months ago by clif@lemmy.world to c/linux@lemmy.ml

6 comments fedilink hide all child comments

Follow up from https://lemmy.world/post/37310527

We did it gang, and we went even further to be able to enter the LUKS password from anywhere via Tailscale.

The general Dropbear info from the Debian wiki seems accurate though it included dropbearconvert usage that wasn't mentioned elsewhere. Unsure if that was needed or not but I did it anyway.

I also referenced this guide. I especially enjoyed the -c cryptroot-unlock param to Dropbear so it automatically prompts me for the password on login.

I've been getting familiar with Tailscale over the past few weeks and also just replaced my home router (immediately flashed with OpenWRT). Turns out you can run Tailscale on OpenWRT and cajigger it in a way that you can use the router as an exit node while allowing LAN access. So, I did that. Now, with Dropbear, the static IP in my initramfs, and Tailscale, if the server reboots while I'm away from home I can SSH via my phone and enter the LUKS password to allow it to boot.

... mostly it's just going to be when I don't want to dig behind my desk to plug in a keyboard, but the truly remote option is nice too.

Thanks for all the input.

all 7 comments

sorted by: hot top controversial new old

[–] user224 6 points 3 months ago (1 children)

Huh? I was just randomly searching for something like this yesterday.

[–] clif@lemmy.world 2 points 3 months ago (1 children)

I hadn't heard of Dropbear until I started researching this... cool project. That seems to be the ticket if you're wanting manual intervention to unlock the disk. If you want automatic unlock via another server on the network, sounds like Clevis may be the thing.

[–] just_another_person@lemmy.world 1 points 3 months ago (1 children)

I think you were told MANY times in the last thread...that's not all Clevis is used for. You misunderstood the tool.

[–] clif@lemmy.world 2 points 3 months ago* (last edited 3 months ago)

I am not a smart person and it wasn't the right tool for my job so I didn't research it further once that was established. Maybe if somebody told me one more time it'd stick.

EDIT : In case anyone is curious : https://github.com/latchset/clevis

[–] yo_scottie_oh@lemmy.ml 2 points 2 weeks ago* (last edited 1 week ago) (1 children)

Did you run into any issues setting up dropbear or did you get it working on the first try?

I'm attempting to follow the same guide that you linked to, the only difference being that I haven't configured a static IP (I don't think this step is required). Every other instruction, I believe I've followed to the letter (for the new version).

Where I'm stuck is after copying the client's public key to the server, updating initrd, rebooting, waiting for the disk encryption prompt, and issuing ping <server-ip> on the client (replacing <server-ip> and <port-number> with the actual IP and port number):

myuser@client:~$ ping <server-ip>
PING <server-ip> (<server-ip>) 56(84) bytes of data.
From <server-ip> icmp_seq=10 Destination Host Unreachable
From <server-ip> icmp_seq=11 Destination Host Unreachable

Unsurprisingly, I'm unable to ssh in from the client:

myuser@client:~$ ssh -i ~/.ssh/dropbear -p <port-number> -o "HostKeyAlgorithms ssh-rsa" root@<server-ip>
ssh: connect to host <server-ip> port <port-number>: No route to host

Since the server is a laptop, I can physically enter the decryption key on the server itself, and then go back to the client and ping the server successfully.

I have not attempted the steps described on the Debian wiki (networking setup or converting the public keys to PEM). Should I add IP=:::::eth0:dhcp to initramfs.conf? Any pointers on what I should check?

EDIT: I'm attempting all of this over wifi, in case that matters (I have a feeling it matters, but I'm not sure what I'm supposed to do differently).

EDIT 2: I found a guide from 2017 by Marc Fargas (Enable Wireless networks in Debian Initramfs). Also found this thread from 2021 on StackExchange (How can I enable wireless for a dropbear-initramfs), wherein somebody links to this GH gist (Sample files to enable wireless on Debian initramfs ). I'll attempt to follow these guides and report back.

[–] clif@lemmy.world 1 points 1 week ago* (last edited 1 week ago)

Hey bud - for the most part it worked great following the guide. The static IP was very important because dropbear is active before DNS (at least in my config) so you have to configure it in a way that you can definitively find it - and a static IP was the way. I just gave it an easy to remember one at 10.0.0.3 since I already have important things at *.1 and *.2.

Another thing that tripped me up originally is that you need to SSH as the root user. That doesn't seem to be your problem since you're not getting there over the network, but FYI for when you fix it.

Destination Host Unreachable

That's definitely a network problem. Maybe fire it up and then check your router for active IP leases and see which one it took?

I’m attempting all of this over wifi, in case that matters

It probably shouldn't matter in any super meaningful way, but I do have mine hardwired with cat6 so that could definitely be a difference.

Definitely let us know how it goes - you're adding to the knowledge pool and that's awesome.

EDIT : Make sure you can find it on the network first, then work backwards from there. At the moment, it seems like you aren't getting network connectivity.