Remote LUKS unlocking with TinySSH

Wed, Oct 20, 2021 01:00 CEST

Tags: Automation, Security, Encryption, LUKS, SSH

Goodbye keyboards and monitors!

This guide assumes you already have a system with LUKS root encryption. See for instance:


pacman -S mkinitcpio-{netconf,tinyssh,utils}


Put a ed25519 public key there (for instance, generated with ssh-keygen -t ed25519). Syntax is identical to ~/.ssh/authorized_keys.


Replace encrypt hook as follows:

-HOOKS=(... encrypt ...)
+HOOKS=(... netconf tinyssh encryptssh ...)

Regenerate initramfs

mkinitcpio -P

NB1: Current release of mkinitcpio-tinyssh is broken, to fix:

rm -r /etc/tinyssh/sshkeydir
tinyssh-convert < /etc/ssh/ssh_host_ed25519_key /etc/tinyssh/sshkeydir/

NB2: No need to add ethernet module e1000e. Other modules might behave differently. This depends on correct behavior of the autodetect hook.

HOOKS=(base udev autodetect ...)

Boot loader entry

Add the following parameters to your options line


You can find the kernel interface name (eth0) by scanning through dmesg.

NB: DHCP (ip=dhcp or ip=:::::eth0:dhcp with netconf_timeout=60) does not seem to work.