If you're running a headless Linux server with a LUKS-encrypted root disk, you probably know the pain of needing a keyboard, KVM, or physical presence to unlock it at boot. No thanks. Here's a simple way to integrate Dropbear SSH into your initramfs, so you can securely unlock your disk remotely over SSH — perfect for homelabbers, render nodes, or just anyone who values convenience without sacrificing encryption.
This guide assumes the drive is already encrypted with LUKS which you would have configured when setting up ubuntu drive encryption initially. Enabling LUKS on a non encrypted drive is out of scope here. Note, this also works with PopOS as their installer uses LUKS under the hood to encrypt your drive during setup.
Install Dropbear
This will install and add default configuration for dropbear. busybox is for debian specifically since it does not come by default in server mode. I learned the hardware that your system will be bricked without busybox.
sudo apt install dropbear-initramfs busyboxAdd SSH Keys
You can use separate ones, or the same keys as you use for standard SSH auth.
sudo curl https://github.com/marcqualie.keys -o /etc/dropbear/initramfs/authorized_keys
sudo chmod 600 /etc/dropbear/initramfs/authorized_keysReplace marcqualie with your own GitHub username, unless you want me to have access to your servers. I'd rather not.
Configure networking for initramfs
Find your device ID wirth ip a and add it to initramfs config.
sudo nano /etc/initramfs-tools/initramfs.confDEVICE=eth0Configure Dropbear
Add options to dropbear config if you don't want the defaults. I like to run mine on port 2222 so it's very clear it's an unlock session only.
sudo nano /etc/dropbear/initramfs/dropbear.confDROPBEAR_OPTIONS="-I 180 -j -k -p 2222 -s -c cryptroot-unlock"Update initramfs
sudo update-initramfs -u -k allReboot and test
Once it comes back up the startup will be halted by dropbear waiting for the unlock key. You can now use SSH to unlock this remotely.
ssh -p 2222 [email protected]That's it — no more dragging a keyboard across the room just to type your disk passphrase. This setup gives you a secure, clean remote unlock workflow, and you can adapt it to any of your LUKS-encrypted boxes.