If you're running a headless Linux server with a LUKS-encrypted root disk, you probably know the pain of needing a keyboard, KVM, or physical presence to unlock it at boot. No thanks. Here's a simple way to integrate Dropbear SSH into your initramfs, so you can securely unlock your disk remotely over SSH — perfect for homelabbers, render nodes, or just anyone who values convenience without sacrificing encryption.
This guide assumes the drive is already encrypted with LUKS which you would have configured when setting up ubuntu drive encryption initially. Enabling LUKS on a non encrypted drive is out of scope here. Note, this also works with PopOS as their installer uses LUKS under the hood to encrypt your drive during setup.
Install Dropbear
sudo apt install dropbear-initramfsAdd SSH Keys
You can use separate ones, or the same keys as you used for standard SSH auth.
curl https://github.com/marcqualie.keys > /etc/dropbear/initramfs/authorized_keys
chmod 600 /etc/dropbear/initramfs/authorized_keysConfigure networking for initramfs
Find your device ID wirth ip a and add it to initramfs config.
sudo nano /etc/initramfs-tools/initramfs.confDEVICE=eth0Configure Dropbear
Add options to dropbear config if you don't want the defaults. I like to run mine on port 2222 so it's very clear it's an unlock session only.
sudo nano /etc/dropbear/initramfs/dropbear.confDROPBEAR_OPTIONS="-I 180 -j -k -p 2222 -s -c cryptroot-unlock"Update initramfs
sudo update-initramfs -uReboot and test
Once it comes back up the startup will be halted by dropbear waiting for the unlock key. You can now use SSH to unlock this remotely.
ssh -p 2222 [email protected]That's it — no more dragging a keyboard across the room just to type your disk passphrase. This setup gives you a secure, clean remote unlock workflow, and you can adapt it to any of your LUKS-encrypted boxes.