LUKS Automatic unlock of with key file on remote ubuntu server
tang and clevis can achieve that even with encrypted root partition on CentOS 7 (and I personally use it to automate boot on my home network and at work). Have a look and check if it plugs into your VM.
You have various solutions online (like here) where a small ssh server (busybox+dropbear) is included in initrd to run it at boot time before filesystem mounting and let it be contacted to provide the passphrase as input.
You may be able to do something around that: in initrd, inside of launching a sshd
server to wait for remote connection, start an ssh
connection to your remote host storing keys, with specific ssh keys, in order to get the key file (doing an scp), then unlocking local filesystem with the LUKS key.
It is however not without drawbacks: you need of course to make sure to delete the downloaded LUKS key as soon as the unlock is done otherwise you gained nothing. Even better if you find a way to have it in RAM only for the time needed and not stored anywhere. Also, "any" attacker being able to read the content of your initrd may find the ssh connection and its ssh key, contact your remote host with them and download the LUKS key. If this happens it means however that your attacker is clearly targeting you and taking the time to study your specific setup, this is clearly outside of script kiddies. You should at least carefully review all connections that downloaded the key, the events should be tied to your other monitoring alerts showing that a given server is indeed rebooting (which again will not protect you against an attacker that was able to modify your initrd).
You also have to take into account cases where network fails at this moment, scp
can not connect, etc... So having at the same time the option of the small sshd
server to be able to connect to it and debug things is not a bad idea. Or see what kind of out-of-band solutions your cloud provider can offer.
I have used Mandos to store and retrieve the passphrase to unlock the root file-system, to allow unattended reboots and simply store keys for all other volumes used by that system in a file on that encrypted root volume.
I have used mandos over a WAN connection (by configuring DHCP and the IP-address of the mandos server in the client system rather than relying on Zeroconf which only works in the local LAN) without bothering with a VPN connection.