How to open a port early in boot process to unlock LUKS via SSH
The subject line is wrong. The problem isn't a closed port, it's a port which wasn't bound. SSHd hasn't started yet; that's the reason you can't connect to it.
The dropbear (ssh server) is supposed to be started very early during boot phase - earlier than the
init (rcN.d) sequence and firewall init scripts; even earlier than / is mounted (it is encrypted too, right?). So it comes to
initramfs, the pre-/ userland loaded for kernel by boot loader. The image is (re)generated by
update-initramfs -u from contents of
/etc/initramfs-tools/, including dropbear configuration in
/etc/initramfs-tools/etc/dropbear/. To play with dropbear config, play with that one.
Thus, few points to check:
- dropbear doesn't start: it haven't been plugged into initramfs sequence well;
- default firewall denies all.
I got this same problem a few weeks ago (Debian Wheezy 7.6) and after some days of troubleshooting I found out that there was a config file missing which was preventing to the cryptroot script on init-top to run correctly, hence it was not stopping to ask the password via ssh, killing the dropbear at the end of the sequence (init-bottom).
The config file is called
cryptroot and should be under
If I am not mistaken that config file should have been created automatically during install (I have read just one tutorial talking about that config file) but somehow it did not (tested in a physical server and in a VM, same OS and versions)
It took me a couple of tries to configure it properly, since I could not find the proper syntax at that time. My cryptroot config file is as follows:
Once created the config file just update the initramfs and try again: