Getting a headless connection to a server

I just learnt how to get a headless connection to a server before it has even booted. This gives access to LUKS and LVM, giving the oppurtunity to decrypt an encrypted hard drive. The solution was in this blog post. I also found a post about this on Stack Exchange, which I decided to contribute to. For my own later reference, I’ll repost the walkthrough here.


I have summarized what you need to do in the following. For more details, have a look at the post above:

  1. Install BusyBox and Dropbear on your server
    sudo apt-get install dropbear busybox 
  2. Update your initramfs on the server
    sudo update-initramfs -u 
  3. Copy the private key generated by dropbear to your client machine. You may have to copy this to a new dir and change ownership to do this. On your server do the following:
    sudo cp /etc/initramfs-tools/root/.ssh/id_rsa ~/. sudo chown user:user ~/id_rsa 

    Remember to replace user with your username. Password logins don’t seem to work.

  4. Now you may transfer the private key with scp by calling the following on your client:
    scp user@remote.server:~/id_rsa ~/.ssh/id_rsa_dropbear 
  5. Set up your client‘s ~/.ssh/config file for easy login. Open it up with a text editor and add the following:
    Host myremoteserver
    HostName my.remote.server
    User root
    UserKnownHostsFile ~/.ssh/known_hosts.initramfs
    IdentityFile ~/.ssh/id_rsa_dropbear

    Change the Host to whatever you like and HostName to the name of your server. Let the user be root. It appears to be the only accepted user in Dropbear. Save and close the file.

  6. Restart your server and wait for the passphrase prompt. Give Dropbear a few seconds to detect and set up its internet connection. Connect to your server with the following command on your client:
    ssh myremoteserver # or any name you chose 
  7. When logged in, issue the following command on your server. See the blog post for details:
    pid=`ps | grep "/scripts/local-top/cryptroot" | cut -d " " -f 3`;
    kill -9 $pid; sleep 35; /scripts/local-top/cryptroot;
    pid=`ps | grep "/bin/sh" | cut -d " " -f 3`;
    kill -9 $pid;

    It will take some time (30 seconds) before you get to type your passphrase. Type it in when prompted.

  8. Close the connection by typing
  9. Your server should now have unlocked its encrypted hard drive and boot as normal.

(A huge thanks to the original author of the blog post!)


Published by

Svenn-Arne Dragly

I'm a physicist and programmer, writing about the stuff I figure out as I go.

One thought on “Getting a headless connection to a server”

  1. Hey,

    Just done this on a Squeeze box, troubleshooting over KVM.

    I had to adjust servers /etc/default/grub to have:
    GRUB_CMDLINE_LINUX=”rootdelay=60″ (60 seconds; if you need more – change it)

    Basicaly the difference between “sleep 35” and “rootdelay=60″ will give you 25 seconds (after the passphrase prompt shows up over ssh) to type your passphrase and exit.
    Otherwise the local console drops to busybox itself due to root device not found and typing your passphrase will not be enough to make the boot process progress.

    If you have a static IP:
    GRUB_CMDLINE_LINUX=”ip=IP.IP.IP.IP::GW.GW.GW.GW:NM.NM.NM.NM::eth0:none rootdelay=60”
    otherwise dropbear tries to get one over DHCP.

    It might also work if you make the “sleep 35” less like “sleep 10” but I haven’t looked further into this. As far as the system can be unlocked remotely over SSH – I’m happy 🙂

    Thanks for this post.

Leave a Reply