I'm trying to set up a Debian 12 system with an encrypted root filesystem using LUKS on a remote OVH VPS. My goal is to use dropbear-initramfs to allow SSH access during boot so I can unlock the LUKS-encrypted root filesystem remotely. I've managed to encrypt the root filesystem and install dropbear-initramfs, but when I boot, GRUB prompts me for the encryption key and hangs before starting the dropbear service. I'm not sure what I've missed or how to proceed from here.
Here's what I've tried so far: I configured dropbear to use different ports for testing, but I can't connect via SSH since the machine doesn't even respond to pings. I checked my configuration files, including `/etc/crypttab` and `/etc/default/grub`, and I did a complete update of my initramfs and grub. The issue seems to be with GRUB needing `GRUB_ENABLE_CRYPTODISK=y`, which I don't want, since I prefer dropbear handling the decryption instead. Can someone help me figure out what went wrong?
2 Answers
Got it! You need a non-encrypted `/boot`. Normally, both `/boot` and `/boot/efi` should be unencrypted to ensure GRUB can access them. About shrinking your encrypted partition, tools like GParted can help, but ensure you've backed up your data just in case. And yes, `/boot` can use ext4; ext2 is recommended, but ext4 works fine as long as your setup supports it.
It sounds like your kernel and initrd are in an encrypted filesystem. For dropbear to work, the kernel and initrd need to be in a non-encrypted filesystem, typically `/boot`. If everything is stored in `/` which is encrypted, GRUB won't be able to load the necessary files to proceed. You might need to create a separate `/boot` partition that isn’t encrypted. If space is tight, consider resizing your root partition to free up some room for this.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures