Unattended/headless Ubuntu server with disk encryption - how to set it up?

Solution 1:

Remote unlocking of encrypted partition

There is a easy and more or less standard way to unlock encrypted partitions on start-up, without modification to root-partition. It requires dropbear and busybox.

$ sudo apt install dropbear busybox

Add busybox to initramfs

To enable busybox in the initial RAM disk, set BUSYBOX=y in /etc/initramfs-tools/initramfs.conf. The dropbear SSH host keys are stored in the /etc/dropbear-initramfs folder.

Add public keys to authorized_keys of dropbear

There is no user management in the initial RAM disk, so only the root-user with a public key in the /etc/dropbear-initramfs/authorized_keys can login via ssh. You can add any public or simply copy the one of you user:

$ sudo cp ~/.ssh/authorized_keys /etc/dropbear-initramfs/authorized_keys

dropbear currently does not support ed25519 keys, so adding them to dropbear won't work.

Update initramfs with dropbear keys

After that, initial RAM disk needs to be updated:

$ sudo update-initramfs -u

That's it, now reboot the system and wait for the cryptsetup dialog.

Unlocking the system remotely

After the reboot, the system will wait for the unlocking of the encrypted device. Login via ssh with the root user and the corresponding private key.

# From a remote system
$ ssh -i ~/.ssh/my_private.id_rsa [email protected]
Enter passphrase for key '~/.ssh/my_private.id_rsa':


BusyBox v1.30.1 (Ubuntu 1:1.30.1-4ubuntu6.1) built-in shell (ash)
Enter 'help' for a list of built-in commands.

#
# cryptroot-unlock
Please unlock disk ubuntu-root:
cryptsetup: ubuntu-root set up successfully
# Connection to my.system.waiting.for.a.password.com closed by remote host.
Connection to my.system.waiting.for.a.password.com closed.

And the system will start with unlocked root device.