You can even setup SSH to the bootloader to unlock LUKS if it reboots.

kdtsh · on Jan 21, 2021

Yup, earlyssh - I found it a massive pain to set up, but it works.

kwk1 · on Jan 21, 2021

Interesting, I've never heard of earlyssh as an option--I've used dropbear-initramfs for this in the past.

jamesponddotco · on Jan 21, 2021

Same here, I have been using dropbear-initramfs since forever. I am now looking into Mandos[1] though, as doing it manually with Dropbear becomes a massive pain when managing several bare-metal servers.

[1] https://www.recompile.se/mandos

predakanga · on Jan 22, 2021

Thanks for the link; I hadn't heard of Mandos.

Another solution in the same space is Clevis[1]; last time I was researching this problem, I came across it via Red Hat's docs[2].

[1]: https://github.com/latchset/clevis

[2]: https://access.redhat.com/documentation/en-us/red_hat_enterp...

kdtsh · on Jan 22, 2021

I think dropbear is what sits under earlyssh. I'll look into dropbear-initramfs, if it's easier to work with than earlyssh that is a big plus in my book.

edit: early-ssh is hosted at https://github.com/gheja/early-ssh . Not to knock early-ssh by saying it's difficult to work with too - it's a great piece of software which has made my life a lot easier.

unqueued · on Jan 22, 2021

If you like early-ssh, I would like to suggest checking out better-initramfs. No dependency on systemd, easy to modify and build. I think it can do everything early-ssh can do. I use it to boot a variety of LUKS encrypted btrfs machines.

Disclosure: I'm a contributor.

https://github.com/slashbeast/better-initramfs

kdtsh · on Jan 25, 2021

Nice! Starred, will definitely keep that in mind, thanks a lot.

lambda_obrien · on Jan 22, 2021

Same, that's what I use, and it was super easy to do.

geek_at · on Jan 21, 2021

Also you can auto-decrypt LUKS when your main machine is booted https://blog.haschek.at/2020/the-encrypted-homelab.html