<Marc Qualie/>

Decrypting LUKS Ubuntu LVM via SSH on boot

Photo of Marc Qualie

If you're running a headless Linux server with a LUKS-encrypted root disk, you probably know the pain of needing a keyboard, KVM, or physical presence to unlock it at boot. No thanks. Here's a simple way to integrate Dropbear SSH into your initramfs, so you can securely unlock your disk remotely over SSH — perfect for homelabbers, render nodes, or just anyone who values convenience without sacrificing encryption.

This guide assumes the drive is already encrypted with LUKS which you would have configured when setting up ubuntu drive encryption initially. Enabling LUKS on a non encrypted drive is out of scope here. Note, this also works with PopOS as their installer uses LUKS under the hood to encrypt your drive during setup.

Install Dropbear

This will install and add default configuration for dropbear. busybox is for debian specifically since it does not come by default in server mode. I learned the hardware that your system will be bricked without busybox.

sudo apt install dropbear-initramfs busybox

Add SSH Keys

You can use separate ones, or the same keys as you use for standard SSH auth.

sudo curl https://github.com/marcqualie.keys -o /etc/dropbear/initramfs/authorized_keys
sudo chmod 600 /etc/dropbear/initramfs/authorized_keys

Replace marcqualie with your own GitHub username, unless you want me to have access to your servers. I'd rather not.

Configure networking for initramfs

Find your device ID wirth ip a and add it to initramfs config.

sudo nano /etc/initramfs-tools/initramfs.conf
DEVICE=eth0

Configure Dropbear

Add options to dropbear config if you don't want the defaults. I like to run mine on port 2222 so it's very clear it's an unlock session only.

sudo nano /etc/dropbear/initramfs/dropbear.conf
DROPBEAR_OPTIONS="-I 180 -j -k -p 2222 -s -c cryptroot-unlock"

Update initramfs

sudo update-initramfs -u -k all

Reboot and test

Once it comes back up the startup will be halted by dropbear waiting for the unlock key. You can now use SSH to unlock this remotely.

ssh -p 2222 root@192.168.1.x

That's it — no more dragging a keyboard across the room just to type your disk passphrase. This setup gives you a secure, clean remote unlock workflow, and you can adapt it to any of your LUKS-encrypted boxes.

If you have any questions about this post, or anything else, you can get in touch on Bluesky or browse my code on Github.