Zum Hauptinhalt springen

Hetzner Cloud: LUKS remote unlock on Debian

I recently decided to migrate my mailserver away from the (old) Uberspace 6 to a new, self administrated machine. Uberspace has been great but over time I demanded more features than they offer.
Due to the fact that I want to keep the mailserver for my primary mail address separated from my main server, I once again compared multiple virtual server/cloud server hosters. I decided to give Hetzners new Cloud Server a go as you can use custom images to build the OS (Debian is the distribution of my choice) as you like. That was particularly important to me because as this will be the place where all my existing private mails will be stored it has to be fully encrypted. Because of that I needed some kind of remote unlock mechanism to be able to unlock the machine after a reboot without the need to log into the Hetzner web interface and use the console.
There are plenty of how-to’s on how to achive this with Beardrop as SSH server in initramfs and Busybox as shell but none of these seemed to work as Beardrop never got available on the configured port. What I did notice was this error message during boot up:

SIOCSIFNETMASK: Cannot assign requested address

This correlates with an article in the Hetzner wiki about the default gateway for custom installations on cloud servers as their GW is outside of the used subnet. Even when using DHCP to retrieve the IP and default GW, the setup fails as NetworkManager refuses to use the given GW. The same for static IP configuration in /etc/initramfs-tools/initramfs.conf or /etc/default/grub. So probably Dropbear does not start because the network fails.
I found only one report on this exact problem after hours of trial and error and searching the web for help.

tl;dr

To fix this you need to hook in before the network is set up and add the default route yourself. To do that you can either add a hook in /usr/share/initramfs-tools/hooks or (like the Serverfault thread suggests) add two statements to /usr/share/initramfs-tools/scripts/functions:

ip route add ${IPV4GATEWAY}/${IPV4NETMASK} dev ${DEVICE}
ip route add default via ${IPV4GATEWAY} dev ${DEVICE}

To ensure that this methods works you have to remove the static IP configureation in grub and/or initramfs.conifig and enable DHCP again!