Configure Remote Headless Disk Unlock

Install required packages:

sudo apt update
sudo apt upgrade
sudo apt install dropbear-initramfs

Edit /etc/dropbear-initramfs/config:

DROPBEAR_OPTIONS="-I 180 -j -k -s"

Import your host keys from openssh:

rm /etc/dropbear-initramfs/dropbear_*_key
mkdir /etc/ssh/tmp
cp /etc/ssh/ssh_*_key /etc/ssh/tmp/
sudo chmod 700 /etc/ssh/tmp/*
ssh-keygen -m PEM -p -f /etc/ssh/tmp/ssh_host_ecdsa_key
ssh-keygen -m PEM -p -f /etc/ssh/tmp/ssh_host_rsa_key
/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/tmp/ssh_host_ecdsa_key /etc/dropbear-initramfs/dropbear_ecdsa_host_key
/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/tmp/ssh_host_rsa_key /etc/dropbear-initramfs/dropbear_rsa_host_key
rm -fr /etc/ssh/tmp 

cat ~/Cloud/Configs/ssh/id_rsa_cryptsetup.pub >> /etc/dropbear-initramfs/authorized_keys

To disable the GRUB splash screen edit /etc/default/grub, and remove the “quiet splash” from the Linux command line:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

Install into initramfs

update-initramfs -u -v
sudo update-grub2

Configure Unlocking over Wifi:

This section is copped almost entirely from: https://www.marcfargas.com/2017/12/enable-wireless-networks-in-debian-initramfs/

initramfs-tools

The Debian system utilises what is known as initramfs-tools to build the initramfs for the installed kernel images. A command comes with it: update-initramfs which updates/creates suchs images. This tools is highly extendable (in fact, lots of packages extend it) by the end-user in the folder /etc/initramfs-tools/ where hooks and scripts can be placed in order to customize the image build and/or the boot processes. A very good place to start would be man initramfs-tools for our purpose today: the SCRIPTS section. What we need initramfs-tools to do for us:

• Add our wireless modules and firmware to the initramfs
• Copy our dependencies to the image (wpa_supplicant, wpa_cli, wpa_supplicant.conf and its libraries)
• Start wpa_supplicant to connect to the network
• Setup networking (ip, etc)
• Hold the boot process until the network is up or a timeout occurs
• Kill wpa_supplicant before booting the underlying system to not conflict with whatever is there expecting full control of the network interface (aka: NetworkManager)

That sounds easy.

Custom hook

We will use a hook to do the first two steps, note that for the modules part you can just type the module name in /etc/initramfs-tools/modules and it should work. We do it in the hook just to keep everything together.

This goes into /etc/initramfs-tools/hooks/enable-wireless, make sure to put the right modules on the manual_add_modules line.

#!/bin/sh
set -e
PREREQ=""
prereqs()
{
    echo "${PREREQ}"
}
case "${1}" in
    prereqs)
        prereqs
        exit 0
        ;;
esac

. /usr/share/initramfs-tools/hook-functions

# CHANGE HERE for your correct modules.
manual_add_modules iwlwifi iwlmvm
copy_exec /sbin/wpa_supplicant
copy_exec /sbin/wpa_cli
copy_file config /etc/initramfs-tools/wpa_supplicant.conf /etc/wpa_supplicant.conf

Pretty straighforward, the upper half is boilerplate as required by initramfs-tools, see the manpage for more. The rest is quite readable: add the modules (it will also add the firmwares), copy wpa* stuff, copy the configuration.

Now, wpa_supplicant.conf is unique to you, as always, man wpa_supplicant.conf is your friend, and here is an example:

# Sample /etc/initramfs-tools/wpa_supplicant.conf
# note that this is independent of the system /etc/wpa_supplicant.conf (if any)
# only add the network you need at boot time. **And keep the ctrl_interface** !!
ctrl_interface=/tmp/wpa_supplicant

network={
    ssid="MyNetwork"
    scan_ssid=1
    psk="network passphrase"
    key_mgmt=WPA-PSK
}

Connection script (init-premount)

Now, we need the system to startup the supplicant, connect and go on. This can’t be done at the init-top stage because not even the kernel modules are available by then, to init-premount looks fine. Problem? Whatever the reason you are reading this, most likely it also happens in init-premount (mandos-client, cryptsetup, …) and initramfs-tools comes with this warning on the manpage:

No guarantees are made as to the order in which the different scripts are executed unless the prereqs are setup in the script.

So… dirty hack is to assume alphabetical order of execution and put “a_” in front of the script. It works, for now.

This goes into /etc/initramfs-tools/scripts/init-premount/a_enable_wireless you need to change the INTERFACE= and, maybe, the AUTH_LIMIT one (the timeout):

#!/bin/sh
PREREQ=""
prereqs()
{
    echo "$PREREQ"
}

case $1 in
prereqs)
    prereqs
    exit 0
    ;;
esac

. /scripts/functions

AUTH_LIMIT=30
INTERFACE="wlp5s0"
alias WPACLI="/sbin/wpa_cli -p/tmp/wpa_supplicant -i$INTERFACE "

log_begin_msg "Starting WLAN connection"
/sbin/wpa_supplicant  -i$INTERFACE -c/etc/wpa_supplicant.conf -P/run/initram-wpa_supplicant.pid -B -f /tmp/wpa_supplicant.log

# Wait for AUTH_LIMIT seconds, then check the status
limit=${AUTH_LIMIT}

echo -n "Waiting for connection (max ${AUTH_LIMIT} seconds)"
while [ $limit -ge 0 -a `WPACLI status | grep wpa_state` != "wpa_state=COMPLETED" ]
do
    sleep 1
    echo -n "."
    limit=`expr $limit - 1`
done
echo ""

if [ `WPACLI status | grep wpa_state` != "wpa_state=COMPLETED" ]; then
  ONLINE=0
  log_failure_msg "WLAN offline after timeout"
  panic
else
  ONLINE=1
  log_success_msg "WLAN online"
fi

configure_networking

Kill when done

Last, but not least, /etc/initramfs-tools/scripts/local-bottom/kill_wireless should contain:

#!/bin/sh
PREREQ=""
prereqs()
{
    echo "$PREREQ"
}

case $1 in
prereqs)
    prereqs
    exit 0
    ;;
esac

echo "Killing wpa_supplicant so the system takes over later."
kill `cat /run/initram-wpa_supplicant.pid`

Final touches

You may have noticed we use the provided configure_networking function, it relies on you passing the proper ip=kernel parameter, so better supply it, for GRUB just setup the GRUB_CMDLINE_LINUX in /etc/default/grub like:

GRUB_CMDLINE_LINUX="ip=:::::wlp5s0:on panic=10"

(see here the documentation of the ip= parameter). The panic=10 makes the system reboot if something goes wrong (like network failure), when testing you might prefer break=premount or some other options, see the initramfs-tools manpage5 or the Debian wiki InitramfsDebug page

Make the scripts executable, and, finally, rebuild initramfs and update-grub:

chmod +x /etc/initramfs-tools/scripts/local-bottom/kill_wireless
chmod +x /etc/initramfs-tools/scripts/init-premount/a_enable_wireless
chmod +x /etc/initramfs-tools/hooks/enable-wireless

update-initramfs -k all -u
update-grub

And… reboot. I suggest you boot with break=bottomso you can check things work as expected (i.e with ip link and ip addr).