This guide is for unlocking one or more LUKS encrypted partitions using SSH. The unlock happens before the system mounts partitions; it may be used to either unlock the entire root file system or one or more partitions for other file systems.
In my case, I will be unlocking the file system named "encrypted" which is mounted to "/encrypted".
Create the encrypted partition as usual:
cryptsetup luksFormat --type=luks2 /dev/sdb
Add the encryted device to crypttab:
# <target name> <source device> <key file> <options>
encrypted UUID=b38550c2-a872-410b-9fb9-3364a19b8e2a none luks,discard,initramfs
NOTE: It is critical to have the initramfs parameter set; without it the system will try to unlock it AFTER init as it is not a root partition. This causes dropbox to execute for a second or two and then exit which means you will not be able to access it as expected.
Add the device to /etc/fstab as usual:
UUID=15f0b8c4-d33a-4666-9b9b-d0c4f7617238 /encrypted btrfs defaults,ssd,noatime,compress=zstd:1,discard,space_cache,commit=120,subvol=@ 0 1
The UUID's above need to be set correctly (retrieve from blkid).
Install dropbear-initramfs:
apt -y install dropbear-initramfs
Edit /etc/initramfs-tools/initramfs.conf and add the IP configuration to the end of the file:
IP=192.0.2.2::192.0.2.1:255.255.255.240:myserver:ens192
The configuration above means:
192.0.2.2: The server IP192.0.2.1: The gateway IP255.255.255.240: The subnetmyserver: The server hostnameens192: The interface to configure the IP settings forEdit /etc/dropbear-initramfs/config and set the following DROPBEAR_OPTIONS:
DROPBEAR_OPTIONS="-I 180 -j -k -p 2222 -s"
These options will configure dropbear to listen on port 2222. Dropbox will be configured to only use SSH key authentication.
Add your SSH key to /etc/dropbear-initramfs/authorized_keys.
Finally regenerate initramfs:
update-initramfs -u -v
You should now be able to reboot and verify that it works.