Some Linux distributions allow you to install all of your partitions, save the boot partition, onto encrypted partitions. Doing this can be a big increase to the security of your data, should your computer be stolen, but can be an inconvenience when installed on a server that has no input devices connected. Fortunately, initramfs, the same program allowing you to boot an encrypted root partition in the first place, can also be configure to allow ssh connections.

All of the following must be done as root.

Static IP

Begin by setting a static IP address for the initramfs image.

Installing Software

In order to log in remotely to initramfs, two things are required. The first, is Busybox, a simple shell for Linux. The second is Dropbear, a lightweight ssh suite.

In order to install these on Debian, or a derivative thereof, use the following command

apt-get install busybox dropbear

Configure the initramfs Image for Remote Access

Open the file /etc/initramfs-tools/initramfs.conf for editing.

Ensure that there is a line which reads BUSYBOX=y and no line that reads BUSYBOX=n

Next, make sure that there isn’t a line DROPBEAR=n, and that there is a line DROPBEAR=y

By enabling these options, when the initramfs image is recompiled, it will contain Busybox and Dropbear.

Adding SSH Keys to the Image

Now that the services that allow you to log on remotely are enabled, you need to add your SSH key to the image.

If you need to create a SSH key, go here

First, transfer your SSH key onto the computer with the initramfs image you are modifying.

Next, make sure that the .ssh directory, and the authorized_keys file exists for Dropbear, with the commannds

mkdir /etc/initramfs-tools/root/.ssh

touch /etc/initramfs-tools/root/.ssh/authorized_keys

Now, append your key to the authorized_keys file.

cat >> /etc/initramfs-tools/root/.ssh/authorized_keys

Finally, give the file the proper permissions.

chmod 0600 authorized_keys

Creating the New Image

To generate the new initramfs image, simply run the command

update-initramfs -u

Logging into to Initramfs

If the IP Address of the Image is the Same as the Computer

If the image’s IP address is the same as that of the computer when it finishes the boot process, then you must make a secondary known_hosts file for SSH to use when it connects to the image.

Do this by creating the new file

touch ~/.ssh/known_hosts.boot

And logging into the image with the option for using an alternative known_hosts file for ssh

-o "UserKnownHostsFile=~/.ssh/known_hosts.boot"

The rest of the examples in this section will be for this configuration.

Entering Your Password

To login to initramfs, use the command

ssh -o "UserKnownHostsFile=~/.ssh/known_hosts.boot" root@ipaddress

If you are using a different IP address for the image, your command could simply be

ssh root@ipaddress

Once logged in, you need to enter the password for the encrypted partition(s).

To do this, use the command

echo -ne yourpassword > /lib/cryptsetup/passfifo

Making the Decrypting Process Easier

In order to make the decryption process quicker, all the steps can be put together in a script.

The content of the script is below, or you simply may download the attached file.

Please note that this script is distributed under the terms of the GPL rather than the Creative Commons License.


# Remote Decrypt. Remotely enters the password for a properly configured LUKS encrypted partition. Logs into the Busybox instance in initramfs. Takes the IP address or hostname of the image as an argument

# Copyright (C) 2011 Eugene Davis

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of


# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program. If not, see http: licenses=""""</http:>.

stty -echo #Turns off shell echoing so that what you type does not show, allowing the password to be hidden

read -p “Enter password for the encrypted volume: “ password #Saves the string that is the password

stty echo #turns on shell echoing so that what you type does show


ssh -p 22 -o “UserKnownHostsFile=~/.ssh/known_hosts.boot” root@$1 “echo -ne "“$password”" >/lib/cryptsetup/passfifo” #Enters the password to decrypt the drive

Once you have downloaded or created the remote_decrypt file, make it executable by running the command

chmod +x remote_decrypt

If you then move it to a folder in your path, you will be able to run it from any directory. Otherwise, make sure you are in the same directory as the script, and run ./remote_decrypt. Make sure to use the hostname as an argument, in the format:

remote_decrypt ipaddress