# Dropbear configuration

It is a good idea to run the pre-boot SSH server on different port and with different SSH keys than your main SSH.

This is because the pre-boot server SSH keys are stored unecrypted in the /boot partition.
This obviously allows an attack vector (someone could impersonate the login prompt, getting your password), but this is true for all unlock-LUKS-by-SSH by design.

To create unique server key, use:

dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -s 2048

The pre-boot server will only allow authentication by public key, list of authorized keys is taken
from `/root/.ssh/authorized_keys`. You need to add your key to this file.

Then you should choose port on which the pre-boot SSH server will listen.
You can do this by editing `/etc/dracut-ssh-unlock.conf`.

# GRUB2 - enable networking

Now, edit your GRUB2 configuration to provide network on boot. This depends on your distribution.

For OpenSUSE, edit `/etc/default/grub` and edit `GRUB_CMDLINE_LINUX` to contain `rd.neednet=1 ip=dhcp`, ie:

GRUB_CMDLINE_LINUX="rd.neednet=1 ip=dhcp"

(you can use static IP instead of DHCP, see `man dracut.cmdline`)

And rebuild GRUB2 configuration:

grub2-mkconfig --output /boot/grub2/grub.cfg

# Dracut - rebuild initramfs

Next, you'll need to rebuild initramfs to include our module.

dracut -f

If you see any problems, do not reboot and fix them first. You can easily disable *dracut-ssh-unlock*
by removing the `/etc/dracut.conf.d/42-dracut-ssh-unlock.conf` and rebuilding initramfs again.

You'll also need to rebuild initramfs if you make any changes to your configuration (dropbear server key and port).

# Usage

After reboot, the server console will show unlock screen as usual.

You should be able to ping the server and connect with your SSH key on the port you specified (default 2222).
You'll get limited shell where you can use the `unlock` command to be prompted for password.

After the disks are unlocked, the SSH server on 2222 will terminated and server will proceed with normal boot.