# This is how to set up decrypting a remote encrypted partition at boot. apt install dropbear-initramfs /etc/dropbear-initramfs/config DROPBEAR_OPTIONS="-p611 -s -j -k -I 60" # Add RSA keys here (no ed25519 ?) vim /etc/dropbear-initramfs/authorized_keys # update initramfs update-initramfs -u # Set up grub vim /etc/default/grub # Like: GRUB_CMDLINE_LINUX_DEFAULT="ip=client-ip::gw-ip:netmask" # Example: GRUB_CMDLINE_LINUX_DEFAULT="ip=10.1.1.100::10.1.1.1:255.255.255.0" # (Also maybe add numa=off) # update grub update-grub # Set up ~/.ssh/config for client to connect to dropbear/ssh: Host sf-001-disk Hostname 10.1.1.100 Port 611 User root PasswordAuthentication no IdentityFile ~/.ssh/id_rsa # Then when system boots up, ssh to it: ssh sf-001-disk # When logged in, run: cryptroot-unlock ========================================================================== cryptsetup -y luksAddKey /dev/sda2 cryptsetup luksRemoveKey /dev/sda2 apt install dropbear-initramfs vim /etc/dropbear-initramfs/config DROPBEAR_OPTIONS="-p 10.0.0.1:22 -s -j -k -I 60" IFDOWN=* # Add RSA keys here (no ed25519 ?) vim /etc/dropbear-initramfs/authorized_keys # update initramfs update-initramfs -u # Set up grub vim /etc/default/grub # needs correct interface eno1 # Like: GRUB_CMDLINE_LINUX_DEFAULT="ip=client-ip::gw-ip:netmask:hostname:interface" # Example: GRUB_CMDLINE_LINUX_DEFAULT="quiet ip=10.0.0.1::10.0.0.2:255.255.255.0:fooserver:eno1:off" # (Also maybe add numa=off) # update grub update-grub # Set up ~/.ssh/config for client to connect to dropbear/ssh: Host fooserver-disk Hostname 10.0.0.1 Port 22 User root PasswordAuthentication no IdentityFile ~/.ssh/id_rsa # Then when system boots up, ssh to it: ssh fooserver-disk # When logged in, run: cryptroot-unlock