Updated for Ubuntu 22.04

1. Install Software

   sudo apt update
   sudo apt -y upgrade
   sudo apt install -y busybox dropbear*
   

2. Create and add key

   ssh-keygen -b 4096 -t rsa -f ~/luks_unlock_key -N=""
   

   then add your public key (most of the time ~/.ssh/id_rsa.pub) in the file /etc/dropbear/initramfs/authorized_keys.

   sudo cat ~/lucks_unlock_key.pub >> /etc/dropbear/initramfs/authorized_keys
   

   or, if you need to do it as root:

   sudo -i
   sudo echo "mypublickeydata" >> /etc/dropbear/initramfs/authorized_keys
   exit
   

3. Update config (optional)

   sudo nano /etc/dropbear/initramfs/dropbear.conf
   

   Add these options:

   • -I - disconnect time
   • -j - disable local ssh port forwarding
   • -k - disable remote ssh port forwarding
   • -p - listen on port 2222
   • -s - disable password logins

   #DROPBEAR_OPTIONS="-I 180 –j –k –p 2222 -s"
   DROPBEAR_OPTIONS="-p 2222"
   

4. Set Static IP (optional)

   sudo nano /etc/initramfs-tools/initramfs.conf
   

   Add config:

   IP:IPADDRESS::GATEWAY:NETMASK:HOSTNAME:ADAPTER
   

   IP=192.168.0.100::192.168.0.1:255.255.255.0:ubuntu:enp2s0
   

5. Update initramfs

   Update initramfs to take into account the changes: :

   sudo update-initramfs -u -k all
   

6. Setup .ssh/config

   if you want to avoid to have clash between the keys between dropbear and openssh (they share the same ip, but use a different key), you may want to put in your client ~/.ssh/config something like that:

   Host <myserver>_luks_unlock
        User root
        Hostname <myserver-ip-or-hostname>
        # The next line is useful to avoid ssh conflict with IP
        HostKeyAlias <myserver>_luks_unlock
        Port 2222 #use the unlock port defined in the dropbear config above rather than the normal port defined in sshd config
        PreferredAuthentications publickey
        IdentityFile /path/to/id_rsa
   Host <myserver>
        User <normalusername>
        Hostname <myserver-ip-or-hostname>
        Port 22 #use the normal port defined in sshd config
        PreferredAuthentications publickey
        IdentityFile /path/to/id_rsa
   

7. Connect

   Connect using:

   ssh myserver_luks_unlock
   

   Some newer ssh clients no longer accept RSA pubkeys. See here: https://confluence.atlassian.com/bitbucketserverkb/ssh-rsa-key-rejected-with-message-no-mutual-signature-algorithm-1026057701.html

   Thus, you may need to add the following to /etc/ssh/ssh_config:

   PubkeyAcceptedKeyTypes +ssh-rsa
   

   and once you get a prompt, type as suggested by the busybox text :

   cryptroot-unlock
   

References

• https://www.pbworks.net/ubuntu-guide-dropbear-ssh-server-to-unlock-luks-encrypted-pc/
• https://unix.stackexchange.com/questions/411945/luks-ssh-unlock-strange-behaviour-invalid-authorized-keys-file
• https://unix.stackexchange.com/questions/5017/ssh-to-decrypt-encrypted-lvm-during-headless-server-boot
• instructions for using a usb stick
• meaning of HostKeyAlias