As already described in my previous post Headless Debian install via SSH, I am dealing with a headless system. As I am encrypting my system and drives with LUKS, I need a way to enter the password in case of a reboot.

So what is the solution

First install Dropbear on the server by apt-get install dropbear. Then configure initramfs network usage; edit /etc/initramfs-tools/initramfs.conf. You probably have to add the lines for dropbear and update the device string. This configuration is using DHCP to obtain an IP, if you have a static configuration, use: IP=<SERVER-IP>::<STANDARD-GATEWAY>:<SUBNETMASK>:<HOSTNAME>:eth0:off

# DROPBEAR: [ y | n ]
# Use dropbear if available.


Next, delete the standard private and public keys on the server

rm /etc/initramfs-tools/root/.ssh/id_rsa
rm /etc/initramfs-tools/root/.ssh/

Then create your own key pair (we assume you use id_rsa as a name) on your client machine and upload it to the server.

scp ~/.ssh/

After that, log in to the server and add the key to authorized_key file an remove the public key on the server.

ssh myuser@debian_headless
sudo sh -c "cat &gt;&gt; /etc/initramfs-tools/root/.ssh/authorized_keys"

Now we need to update initramfs and grub by update-initramfs -u -k all and update-grub2

On some configurations the network won’t get reconfigured on runtime values, hence we need to trigger an update. Edit /etc/network/interfaces and add as first line of the primary interface pre-up ip addr flush dev eth0

Restart server and log in from your client with ssh -i ~/.ssh/id_rsa root@<server-ip> to set the password to unlock

echo -n "<LUKS encryption password>" > /lib/cryptsetup/passfifo

EDIT: on newer systems a cryptroot-unlock will suffice.

The server should now boot normally and regular SSH should come up.


You can also create a little script for the passphrase in /etc/initramfs-tools/hooks/unlock

prereqs() {
  echo "$PREREQ"

case $1 in
exit 0

. /usr/share/initramfs-tools/hook-functions

cat > "${DESTDIR}/root/unlock" << EOF #!/bin/sh /lib/cryptsetup/askpass 'passphrase: ' > /lib/cryptsetup/passfifo

chmod u+x "${DESTDIR}/root/unlock"

exit 0

Do not forget to make it executable with chmod +x /etc/initramfs-tools/hooks/unlock and update initramfs with update-initramfs -u -k all and update-grub2



Please Note: By submitting your comment your browser will send the values of the form fields (and the typical browsing meta data) to the API of Staticman. If you don't want to connect to a third party, you should E-Mail me.