Dropbear

Remote unlock encrypted root filesystems over SSH on boot. Note that most systems do not encrypt /boot and therefore dropbear keys should be considered compromised/untrusted; use separate keys when using dropbear!

See wireguard-initramfs to enable wireguard service on boot for fully encrypted remote boot root FS unlock!

Dropbear Setup

Install dropbear package
apt install dropbear-initramfs

Set dropbear options:

0644 root root /etc/dropbear-initramfs/config
#
# Configuration options for the dropbear-initramfs boot scripts.
# You must run update-initramfs(8) to effect changes to this file (like
# for other files under the '/etc/dropbear-initramfs' directory).

#
# Command line options to pass to dropbear(8)
# -s -g - disable user, root password auth
# -j -k - disable local, remote port forwarding
# -m disable MOTD
# -p 22 listen on all interfaces, port 22
# -T 1 one authentication attempt
DROPBEAR_OPTIONS='-s -g -j -k -m -p 22 -T 10'

#
# On local (non-NFS) mounts, interfaces matching this pattern are
# brought down before exiting the ramdisk to avoid dirty network
# configuration in the normal kernel.
# The special value 'none' keeps all interfaces up and preserves routing
# tables and addresses.
#
IFDOWN=*

#
# On local (non-NFS) mounts, the network stack and dropbear are started
# asynchronously at init-premount stage.  This value specifies the
# maximum number of seconds to wait (while the network/dropbear are
# being configured) at init-bottom stage before terminating dropbear and
# bringing the network down.
# If the timeout is too short, and if the boot process is not blocking
# on user input supplied via SSHd (ie no remote unlocking), then the
# initrd might pivot to init(1) too early, thereby causing a race
# condition between network configuration from initramfs vs from the
# normal system.
#
DROPBEAR_SHUTDOWN_TIMEOUT=60

Dropbear uses a special binary format for host keys. Generate a new pair of host keys to use, and remove all others:

Generate new dropbear host keys (RSA 4096); remove unused.
dropbearkey -t rsa -s 4096 -f /etc/dropbear-initramfs/dropbear_rsa_host_key
rm /etc/dropbear-initramfs/dropbear_{dss,ecdsa,ed25519}_host_key

Create a set of SSH keys to use for dropbear explicitly. These should be password protected. Add to authorized keys for dropbear.

Create SSH keys and set authorized keys for dropbear.
ssh-keygen -b 4096 -t rsa -f ~/.ssh/dropbear
cp ~/.ssh/dropbear.pub /etc/dropbear-initramfs/authorized_keys

Update Kernel

The kernel must be updated everytime the dropbear configuration is changed.

Update Kernel with Dropbear configuration.
update-initramfs -u
update-grub
reboot

Remote Unlock

Use the dropbear key and unlock the system remotely.
ssh -i ~/.ssh/dropbear root@remote_host
# cryptroot-unlock