SSH to decrypt encrypted LVM during headless server boot?

For newer versions of ubuntu, for example, 14.04, I found a combination of @dragly and this blogposts' answers very helpful. To paraphrase:

  1. (On server) Install Dropbear

    sudo apt-get install dropbear
    
  2. (On server) Copy and assign permissions for root public/private key login

    sudo cp /etc/initramfs-tools/root/.ssh/id_rsa ~/.
    sudo chown user:user ~/id_rsa
    

remember to change user to your username on the server

  1. (On client) Fetch private key from server

    scp [email protected]:~/id_rsa ~/.ssh/id_rsa_dropbear
    
  2. (On client) Add an entry to ssh config

    Host parkia
        Hostname 192.168.11.111
        User root
        UserKnownHostsFile ~/.ssh/know_hosts.initramfs
        IdentityFile ~/.ssh/id_rsa_dropbear
    Remember to change _parkia_ to whatever you'd like to type `ssh my-box` to be.
    
  3. (On server) Create this file at /etc/initramfs-tools/hooks/crypt_unlock.sh

  4. (On server) Make that file executable

    sudo chmod +x /etc/initramfs-tools/hooks/crypt_unlock.sh
    
  5. Update the initramfs

    sudo update-initramfs -u
    
  6. Disable the dropbear service on boot so openssh is used after partition is decrypted

    sudo update-rc.d dropbear disable
    

You're done. Try it out. Check the blog post linked to above for instructions about how to configure the server with a static IP address if that is something you'd need to do.


A guide to do such a setup with BusyBox and Dropbear is shown in this blog post. early-ssh didn't work for me and is apparently not needed anymore.

I have summarized what you need to do in the following. For more details, have a look at the post above:

  1. Install BusyBox and Dropbear on your server

    sudo apt-get install dropbear busybox
    
  2. Update your initramfs on the server

    sudo update-initramfs -u
    
  3. Copy the private key generated by dropbear to your client machine. You may have to copy this to a new dir and change ownership to do this. On your server do the following:

    sudo cp /etc/initramfs-tools/root/.ssh/id_rsa ~/.
    sudo chown user:user ~/id_rsa
    

    Remember to replace user with your username. Password logins don't seem to work.

  4. Now you may transfer the private key with scp by calling the following on your client:

    scp [email protected]:~/id_rsa ~/.ssh/id_rsa_dropbear
    
  5. Set up your client's ~/.ssh/config file for easy login. Open it up with a text editor and add the following:

    Host myremoteserver
        HostName my.remote.server
        User root
        UserKnownHostsFile ~/.ssh/known_hosts.initramfs
        IdentityFile ~/.ssh/id_rsa_dropbear
    

    Change the Host to whatever you like and HostName to the name of your server. Let the user be root. It appears to be the only accepted user in Dropbear. Save and close the file.

  6. Restart your server and wait for the passphrase prompt. Give Dropbear a few seconds to detect and set up its internet connection. Connect to your server with the following command on your client:

    ssh myremoteserver # or any name you chose
    
  7. When logged in, issue the following command on your server. See the blog post for details:

    pid=`ps | grep "/scripts/local-top/cryptroot" | cut -d " " -f 3`
    kill -9 $pid
    sleep 35
    /scripts/local-top/cryptroot
    pid=`ps | grep "/bin/sh" | cut -d " " -f 3`
    kill -9 $pid;
    

    It will take some time (30 seconds) before you get to type your passphrase. Type it in when prompted.

  8. Close the connection by typing

    exit
    
  9. Your server should now have unlocked its encrypted hard drive and boot as normal.

(A huge thanks to the original author of the blog post!)


I think early-ssh provides what you're searching for:

Early-ssh is a simple initramfs hook, which installs Dropbear SSH server into  
your initramfs, and starts it at boottime, so you will be able to do a lot of  
things remotely over SSH, before your root partition gets mounted, for example:

* unlocking LUKS encrypted crypto devices - 
  even your root can be an encrypted filesystem
* assembling/altering RAID arrays (mdadm)
* checking the root filesystem in read-write mode, 
  taking action in case of errors
* and so on...

There is already a .deb package available, so you're probably fine with Ubuntu.