This is small walkthrough to reboot a host that is using full disk encryption (luks) without being able to enter the passphrase at boot (remote).
Below walkthrough is based on arch linux.
The idea is to create a keyfile, add it as a valid key to decrypt the root filesystem, let initramfs decrypt the disk using the key and continue the booting process.
Once the reboot is done, the key is removed from the list of allowed keys.
Create the key file
$ dd if=/dev/random of=/crypto_keyfile.bin bs=512 count=8 iflag=fullblock $ chmod 600 /crypto_keyfile.bin
Add the key as a valid key to unlock the partition
$ cryptsetup luksAddKey /dev/sdaXXX /crypto_keyfile.bin
You can identify which partition is the encrypted one by using
at the content of
/etc/crypttab or even at the
GRUB_CMDLINE_LINUX_DEFAULT entry in
Next initramfs needs to be told to embed the key file. Edit
and add the key path in the
Also make sure the
encrypt hook is present in the list of HOOKS.
Note that the
encrypt hook in the initramfs will per default look for a key
crypto_keyfile.bin so if you choose a different name, you need to add
(see this doc)
Finally regenereate your initramfs
$ mkinitcpio -p linux
And reboot the host.
After the reboot, remove the key file
$ cryptsetup luksRemoveKey /dev/sdaXXX /crypto_keyfile.bin
Removing the keyfile is very important since it is embedded in the initramfs so anyone access to your host can extract the keyfile and unlock the disk.
The solution provided above is temporary, if you need a more permanent (less hacky) solution, look at this page of the arch wiki.