bike9876@エボ猫.コム

Enable ssh from remote host to unlock encrypted root partition when booting rpi5

NB rpi5 is running arch linux

It is assumed the pi is already set up with an encrypted root partition that requires the encryption passphrase to be entered on a keyboard on boot.

The steps here allow the passphrase to be entered via ssh from a remote host. They are all run on the pi unless otherwise stated.

Install and set up mkinitcpio-dropbear and mkinitcpio-utils

Run

sudo pacman -S mkinitcpio-dropbear mkinitcpio-utils

Copy public ssh key from system that will be used to login to rpi to /etc/dropbear/root_key on the pi (can have more than 1 key, in which case use 1 per line).

Eg (from the system that will be used to unlock the pi)

cat ~/.ssh/id_ed25519.pub | sudo ssh <rpi5> "cat >> /etc/dropbear/root_key"

if your public ssh key is at ~/.ssh/id_ed25519.pub. <rpi5> is the ip address of the rpi (or a hostname that will resolve to that ip address).

If /etc/dropbear/root_key is changed later, rerun sudo mkinitcpio -P on the pi (see below).

In /etc/mkinitcpio.conf, add dropbear in HOOKS list before encrypt and replace the encrypt hook with encryptssh, eg:

sudo sed -i -e 's/^\(HOOKS=(.*\) encrypt \(.*\)/\1 dropbear encryptssh \2/' /etc/mkinitcpio.conf

Recreate initrd:

sudo mkinitcpio -P

Set kernel to try to obtain an ip address on boot

Edit /boot/cmdline.txt, add kernel parameters at end:

  ip=:::::eth0:dhcp carrier_timeout=30

This specifies the network device as “eth0” (generally is that in early boot for ethernet, even if the name is changed later). The kernel will get its ip address from the router via dhcp.

carrier_timeout is optional, but helpful if no ethernet cable is actually plugged into the pi - then the boot process will only wait 30s for the network (as opposed to the default 120s) before timing out 1.

The above assumes the pi is connected via an ethernet cable.

If you want to specify a static ip address instead, use something like:

  ip=192.168.1.20:::::eth0 carrier_timeout=30

Reboot pi and unlock encrypted root remotely

Reboot the pi. After about 30s, it should be ready to accept a remote ssh connection. On a remote host (whose public key has been saved in /etc/dropbear/root_key on the pi) run:

ssh <rpi5> -l root

(see above re <rpi5>)

When prompted:

Enter passphrase for /dev/nvme0n1p2:

(message will vary according to what partition the encrypted root is on) enter the encryption passphrase.

After 10s or so, the rpi should have fully booted, so eg it should be possible to ssh into it as normal.

  1. with dhcp, still get a long delay (~80s) after the network times out before the boot proceeds - unclear why.↩︎