Remotely reboot a host using full disk encryption

This is small walkthrough to reboot a host that is using full disk encryption (luks) without being able to enter the passphrase at boot (remote).

Below walkthrough is based on arch linux.

The idea is to create a keyfile, add it as a valid key to decrypt the root filesystem, let initramfs decrypt the disk using the key and continue the booting process.

Once the reboot is done, the key is removed from the list of allowed keys.

Create the key file

$ dd if=/dev/random of=/crypto_keyfile.bin bs=512 count=8 iflag=fullblock
$ chmod 600 /crypto_keyfile.bin

Add the key as a valid key to unlock the partition

$ cryptsetup luksAddKey /dev/sdaXXX /crypto_keyfile.bin

You can identify which partition is the encrypted one by using blkid, lsblk, looking at the content of /etc/crypttab or even at the GRUB_CMDLINE_LINUX_DEFAULT entry in /etc/default/grub.

Next initramfs needs to be told to embed the key file. Edit /etc/mkinitcpio.conf and add the key path in the FILES array:


Also make sure the encrypt hook is present in the list of HOOKS.

Note that the encrypt hook in the initramfs will per default look for a key named crypto_keyfile.bin so if you choose a different name, you need to add a cryptkey entry (see this doc)

Finally regenereate your initramfs

$ mkinitcpio -p linux

And reboot the host.

After the reboot, remove the key file

$ cryptsetup luksRemoveKey /dev/sdaXXX /crypto_keyfile.bin

Removing the keyfile is very important since it is embedded in the initramfs so anyone access to your host can extract the keyfile and unlock the disk.

The solution provided above is temporary, if you need a more permanent (less hacky) solution, look at this page of the arch wiki.