Busk: Created page with "Setting up Dropbear for Initramfs is the gold standard for "headless" secure servers. It allows you to SSH into your server before the main operating system even sta..."

2026-03-20T03:25:46Z

Created page with "Setting up **Dropbear** for **Initramfs** is the gold standard for "headless" secure servers. It allows you to SSH into your server *before* the main operating system even sta..."

New page

Setting up **Dropbear** for **Initramfs** is the gold standard for "headless" secure servers. It allows you to SSH into your server *before* the main operating system even starts, just to type the LUKS passphrase.

This gives you the security of a manual passphrase with the convenience of not needing a physical keyboard and monitor attached to the server.

---

### 1. Install the Dropbear Initramfs Tool
Ubuntu has a specific package that integrates the lightweight Dropbear SSH server into the boot process.

```bash
sudo apt update
sudo apt install dropbear-initramfs -y
```

### 2. Configure Your SSH Key
For security, you should use an **SSH Key** rather than a password to log in during this pre-boot phase.

1. **Copy your public key** (usually found at `~/.ssh/id_ed25519.pub` on your local machine).
2. **Add it to the authorized keys for boot:**
```bash
sudo nano /etc/dropbear/initramfs/authorized_keys
```
*Paste your public key there and save.*

### 3. Set the Network Config (Optional but Recommended)
If your server doesn't get an IP automatically via DHCP during boot, you can hardcode one in the GRUB config, but usually, the default is fine if your router is active.

To change the port (to avoid conflicts with your main SSH later), edit the config:
```bash
sudo nano /etc/dropbear/initramfs/config
```
Change to: `DROPBEAR_OPTIONS="-p 2222"` (This puts the "Unlock SSH" on port 2222).

---

### 4. Update and Reboot
Tell the system to rebuild the boot image with Dropbear inside it.

```bash
sudo update-initramfs -u
sudo reboot
```

---

### 5. How to Unlock Remotely
Once the server starts booting, it will "hang" at the encryption prompt. From your local laptop, run:

```bash
ssh -p 2222 root@your-server-ip
```
*Note: It will always be `root`, even if that's not your main user.*

Once you are logged in, you will see a minimal prompt. Run the unlock command:
```bash
cryptroot-unlock
```
Type your passphrase. Once accepted, the SSH session will close automatically, the drive will mount, and Ubuntu will finish booting into the main OS (and start your LXD containers).

---

### Summary of your "Private Cloud" Security
You now have a setup that mirrors high-end cloud security:
1. **LXD Isolation:** Your apps are siloed in containers or VMs.
2. **Full Disk Encryption:** Data is encrypted at rest (LUKS).
3. **Encrypted Storage Pool:** Your LXD data lives on a ZFS-over-LUKS layer.
4. **Remote Secure Unlock:** You can manage reboots from anywhere without leaving keys "in the lock" (the keyfile).

# small bash script that checks the status of your LXD encrypted pool and alerts you if it fails to mount after an unlock

Goal,Config Setting
Specify a Key,IdentityFile ~/.ssh/key_name
Use a Nickname,Host nickname
Set User,User username
Force Port,Port 2222 (if you changed it for security)

LXD security luks dropbear - Revision history

Busk: Created page with "Setting up **Dropbear** for **Initramfs** is the gold standard for "headless" secure servers. It allows you to SSH into your server *before* the main operating system even sta..."

Busk: Created page with "Setting up Dropbear for Initramfs is the gold standard for "headless" secure servers. It allows you to SSH into your server before the main operating system even sta..."