{{tag>howto debian dropbear luks}}

===== Install/Configure dropbear for remote unlocking encrypted root/swap-filesystems functionality =====
  * https://www.hagen-bauer.de/2018/09/verschl%C3%BCsseltes-debian-remote-starten.html
  * https://www.arminpech.de/2019/12/23/debian-unlock-luks-root-partition-remotely-by-ssh-using-dropbear/

<WRAP center round todo 60%>
This might be a further advancement. If I get it right - It's limiting the SSH key to one specific command and also automates execution of that command.
  * https://ctrlnotes.com/restrict-a-user-to-ssh-forced-command/#
</WRAP>


<sxh bash; gutter: false>
apt update && apt -y install busybox dropbear-initramfs
echo 'DROPBEAR=y' >> /etc/initramfs-tools/initramfs.conf
sed -i 's/DEVICE=/DEVICE=<YOURNETWORKDEVICE>/'  /etc/initramfs-tools/initramfs.conf
echo 'IP=::::<YOURHOSTNAME>-luks:<YOURNETWORKDEVICE>:dhcp' >> /etc/initramfs-tools/initramfs.conf
echo "<YOURSSHPUBLICKEY>" >> /etc/dropbear-initramfs/authorized_keys
echo "<YOURBACKUPSSHPUBLICKEY>" >> /etc/dropbear-initramfs/authorized_keys
update-initramfs -u
</sxh>
<WRAP center round tip 60%>
Use the following commands to log on to dropbears SSH server, authenticate with your SSH-key and to decrypt the LUKS partition:
<sxh bash; gutter: false>
# connect to dropbears SSH server on denker,
# you will get authenticated with your SSH key.
ssh <YOURHOSTNAME>-luks -l root
# then issue the following command:
cryptroot-unlock
# now enter the LUKS passphrase
</sxh>
</WRAP>


----
~~DISCUSSION~~