Remotely Unlocking LUKS-Encrypted Proxmox with Dropbear SSH at Boot

Overview

When Proxmox boots with encrypted disks, the root filesystem cannot be mounted until the disk encryption passphrase is entered. The system loads an early minimal environment called initramfs, which does not yet have the full operating system or network services running.

To remotely unlock the disk, we install Dropbear, a lightweight SSH server, inside this initramfs. Dropbear allows an administrator to SSH into the machine at boot time and enter the LUKS passphrase remotely. Once unlocked, the system continues booting normally.

1. Copy Your SSH Public Key to the Server

ssh-copy-id -i /root/.ssh/id_rsa [email protected]

• This copies your SSH public key to the server's /root/.ssh/authorized_keys, enabling key-based authentication.

• Key-based login is mandatory for security since password authentication in initramfs is disabled.

2. Install Dropbear in Initramfs

apt install dropbear-initramfs

• This installs Dropbear configured to run inside the initramfs environment at boot.

• Dropbear is much smaller than OpenSSH, which makes it suitable for the minimal initramfs setup.

3. Configure a Static IP Address for Initramfs

Edit /etc/initramfs-tools/initramfs.conf to specify the IP address and network settings for Dropbear during early boot.

Example:

cat << 'EOF' >> /etc/initramfs-tools/initramfs.conf
IP=192.168.1.10::192.168.1.1:255.255.255.0::enp2s0:off
EOF

• Replace 192.168.1.10 with the same static IP address that your Proxmox host normally uses.

• This ensures the server is reachable at the same IP address during early boot (initramfs) and after full boot.

• Replace 192.168.1.1 with your gateway and enp2s0 with your actual network interface name.

• The IP must match your network to enable SSH connectivity in initramfs.

4. Add Your SSH Key to Dropbear’s Authorized Keys Inside Initramfs

cp /root/.ssh/authorized_keys /etc/dropbear/initramfs/authorized_keys
chmod 600 /etc/dropbear/initramfs/authorized_keys

• Dropbear uses this file to authenticate users connecting during early boot.

• Proper permissions ensure Dropbear will read the keys securely.

5. Rebuild the Initramfs and Reboot

update-initramfs -u
reboot

• This regenerates the initramfs image to include Dropbear and your updated keys.

• Upon reboot, Dropbear starts inside initramfs and listens for SSH connections on the static IP.

Note: You may see error messages from cryptsetup about unresolved devices or device mismatches during boot. These are expected because the disk is still locked and will be resolved once unlocked.

6. Unlock the Encrypted Disk via SSH

After reboot, connect to your server via SSH:

ssh [email protected]
cryptroot-unlock

• This command prompts for the LUKS passphrase.

• Enter the disk encryption password to unlock the root filesystem.

• Once unlocked, the server continues the normal boot process.

• The SSH session will close automatically after unlocking.

Why Use the Same IP Address?

• The IP configured in initramfs.conf must be the same static IP that Proxmox uses after boot, so you can reach the server consistently before and after disk unlocking.

• If the IP differs, you must remember and connect to a separate address during early boot, which complicates management.

• Using the same IP minimizes network confusion and prevents failures where Dropbear is unreachable because of misconfigured networking in initramfs.

Important Notes

• Ensure the network interface name and IP subnet configurations are correct and valid on your network. Incorrect settings cause Dropbear SSH to be unreachable.

• This method requires that the network is fully operational inside initramfs, which depends on correct static IP configuration.

• For emergency access, consider alternate recovery options if network unlock fails.

• Always secure your authorized SSH keys to maintain security during early boot.

This setup enables secure, seamless remote disk unlocking for encrypted Proxmox systems, improving convenience without sacrificing security.