Back to TIL
shell

Ubuntu 24.04 LTS Dropbear Setup

I played around with LUKS encryption in one of my Ubuntu Proxmox VMs. Quickly ran into the first inconvenience: having to type in the decryption password every single time I reboot the VM. The Proxmox noVNC console isn’t really great with copy and paste on macOS. So, having to type it by hand all the time was painful.

The solution is to be able to do it via SSH. I knew that Dropbear (a tiny ssh server) is the solution to that, I just never configured it. It wasn’t easy but it also wasn’t hard.

sudo apt install dropbear-initramfs

The configuration I’ve sourced from other pages and gists I found:

# /etc/dropbear/initramfs/dropbear.conf
DROPBEAR_OPTIONS="-I 180 -j -k -p 22 -s -c cryptroot-unlock"
  • -I 180: disconnect if nothing is received within 180 seconds
  • -j: disable local port forwarding
  • -k: disable remote port forwarding
  • -p: listen on port 22 (default ssh)
  • -s: disable password logins (we’ll add our public key later)
  • -c: execute the given command (cryptroot-unlock) after successful authentication.

Some like to change the default SSH port. Personally, I’m only doing this at home with trusted clients on the subnet, so I don’t really mind using the default ssh port.

Most tutorials also configure a static ip. I’m not doing that as I can find the IP via my router interface quite easily.

Update 21-05-2025: I’ve moved onto using static IPs using the above link. The dropbear IP is the same as it would be once the VM decrypted, which is convenient.

Then, create the authorized_keys:

vim /etc/dropbear/initramfs/authorized_keys

Add your public key:

ssh-ed25519 ABCDEFHIJK0123456789 luis

Pro tip: Should you not be able to simply download that key from somewhere or copy-paste it, I detail a little workaround using netcat in another TIL.

Adjust the permission:

chmod 600 /etc/dropbear/initramfs/authorized_keys

Dropbear has its own host identification key. Usually, you want to use the one already inplace to avoid the nasty SSH “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!” every time. To do that:

dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear/initramfs/dropbear_rsa_host_key
dropbearconvert openssh dropbear /etc/ssh/ssh_host_ed25519_key /etc/dropbear/initramfs/dropbear_ed25519_host_key
dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/initramfs/dropbear_ecdsa_host_key

Let Dropbear re-build its integration into the boot process:

update-initramfs -k all -u

Verify that this command doesn’t output any warning. I.e., it will tell you if it can’t read the authorized_keys.

If all is well, it’s time to reboot.

reboot
Sidenote:

Once, my boot process went awry. I got to a screen where I saw “cat not found” and “sleep not found” being printed in a loop screen. I panicked. Someone on the internet had a solution: first do ALT+F4 to stop the looping. Then, log into your computer as you do.

I only re-ran the above update-initramfs command, rebooted and that seems to have fixed it for me.

In the linked article however, they recommend reinstalling dropbear ( apt remove --purge dropbear-initramfs followed by apt install dropbear-initramfs). Just so you know.

After a couple of seconds, I tried connecting to my VM via SSH:

ssh root@myvm-ip

It should greet you with:

Please unlock disk dm_crypt-0:

Woop woop!