As an enthusiast of encryption, it always felt a little strange that my servers kept all of their data in the clear. But the problem with encrypting a headless server is that, inevitably, you have to reboot it. So how do you connect to your server and unlock the drive before it boots? It's quite the catch-22.
Enter dropbear, a very small SSH server. This server is so tiny, it can be embedded in your initramfs and run at boot. You can connect to your server, unlock your boot drive, and allow the boot process to proceed. Fantastic!
Here's a short summary of how to do things in Debian 10 (Buster). These commands need to be run as root:
- Install the
dropbear-initramfspackage (should install
- Copy your SSH public key into
update-initramfs -u& reboot
- Connect to the dropbear server by running
cryptroot-unlockto unlock your boot drive
This is just the beginning of my setup. Eventually, I would like another machine to automatically unlock my servers for me - but that will be several more steps that are not in place yet. For now, this is a fairly straight forward technique for allowing you to encrypt headless, remote servers without worrying about reboots!
Tags: linux server security