How to open a port early in boot process to unlock LUKS via SSH
The subject line is wrong. The problem isn't a closed port, it's a port which wasn't bound. SSHd hasn't started yet; that's the reason you can't connect to it.
The dropbear (ssh server) is supposed to be started very early during boot phase - earlier than the init
(rcN.d) sequence and firewall init scripts; even earlier than / is mounted (it is encrypted too, right?). So it comes to initramfs
, the pre-/ userland loaded for kernel by boot loader. The image is (re)generated by update-initramfs -u
from contents of /etc/initramfs-tools/
, including dropbear configuration in /etc/initramfs-tools/etc/dropbear/
. To play with dropbear config, play with that one.
Thus, few points to check:
- dropbear doesn't start: it haven't been plugged into initramfs sequence well;
- default firewall denies all.
I got this same problem a few weeks ago (Debian Wheezy 7.6) and after some days of troubleshooting I found out that there was a config file missing which was preventing to the cryptroot script on init-top to run correctly, hence it was not stopping to ask the password via ssh, killing the dropbear at the end of the sequence (init-bottom).
The config file is called cryptroot
and should be under /etc/initramfs-tools/conf.d/
If I am not mistaken that config file should have been created automatically during install (I have read just one tutorial talking about that config file) but somehow it did not (tested in a physical server and in a VM, same OS and versions)
It took me a couple of tries to configure it properly, since I could not find the proper syntax at that time. My cryptroot config file is as follows:
target=crypt-root,source=/dev/vg0/root,lvm=root
Once created the config file just update the initramfs and try again:
update-initramfs -u