Unlocking Fully Encrypted Servers over Tor

Remote servers should not have to choose between security and availability.

For years, the common compromise has been to expose SSH to the public Internet or to rely on VPNs and provider-specific KVM consoles whenever a LUKS-encrypted server reboots.

I believe there is a better approach.

By combining LUKS, Tor Onion Services, and a lightweight SSH server running directly inside the initramfs, it is possible to build servers that remain fully encrypted at rest, yet can always be unlocked remotely without exposing any public management interface.

This article describes the concept and how it could evolve into a reusable feature for Infinito.Nexus.

The Problem

Full disk encryption protects data when a server is powered off.

However, after every reboot someone must enter the LUKS passphrase.

For remote dedicated servers this usually means one of the following:

  • opening SSH to the Internet
  • connecting through a VPN
  • using a provider’s KVM/IPMI console
  • booting into a rescue system

While remote unlocking via Dropbear inside the initramfs is already a well-known solution, it still typically relies on a publicly reachable IP address.


The Idea

Instead of exposing SSH publicly, start Tor directly inside the initramfs.

The boot sequence would look like this:

Server boots


Kernel + initramfs


Network initialization


Tor starts


Temporary Onion Service appears

unlock-xxxxxxxx.onion


SSH via Tor


cryptsetup luksOpen


Root filesystem unlocked


Operating system boots


Temporary Onion Service disappears

The administrator simply connects through Tor:

torsocks ssh 

After entering the LUKS passphrase, the operating system continues booting normally.


Separate Identities for Boot and Runtime

One of the strongest aspects of this design is that boot-time and runtime use different Onion identities.

Boot environment

  • dedicated Ed25519 key
  • dedicated Onion address
  • only SSH
  • exists only during boot

Example:

unlock-xxxxxxxx.onion

Runtime environment

Once the operating system has booted:

  • the initramfs exits
  • Tor inside initramfs stops
  • a new Tor instance starts
  • completely different Onion addresses become available

For example:

ssh-xxxxxxxx.onion
cloud-xxxxxxxx.onion
matrix-xxxxxxxx.onion
mail-xxxxxxxx.onion

The unlock address simply disappears.

This cleanly separates the trust boundaries between the bootloader environment and the running operating system.


Why Tor?

Using Tor instead of exposing SSH directly provides several advantages:

  • no public IP address required
  • no exposed SSH port
  • no VPN infrastructure
  • works behind NAT or Carrier-Grade NAT
  • management interface is only reachable through the Tor network
  • additional network privacy
  • ideal for self-hosted infrastructure

This is particularly attractive for servers hosted in data centers where administrators rarely have physical access.


What Happens After a Crash?

Whenever the server reboots:

  1. the initramfs starts
  2. networking is initialized
  3. Tor publishes the temporary Onion Service
  4. you connect via SSH
  5. you unlock LUKS
  6. the server continues booting

No KVM console.

No VPN.

No public SSH endpoint.

Only Tor.

Of course, catastrophic failures such as a broken initramfs or missing network drivers still require traditional recovery methods such as a rescue system or KVM.


Existing Building Blocks

Most of the required components already exist today.

My repository hetzner-arch-luks demonstrates how to deploy Arch Linux with full disk encryption on Hetzner servers and configure remote unlocking via SSH during the initramfs stage.

Repository:

https://github.com/kevinveenbirkenbach/hetzner-arch-luks

Another project, linux-image-manager, automates the creation and customization of Linux images and could serve as the foundation for embedding Tor, Dropbear/TinySSH, and the required initramfs configuration into reusable images.

Repository:

https://github.com/kevinveenbirkenbach/linux-image-manager

Together, these repositories provide much of the groundwork required for a fully automated implementation.


Future Integration into Infinito.Nexus

I envision this becoming a native feature of Infinito.Nexus.

Provisioning a server could automatically:

  • install Arch Linux
  • configure LUKS full disk encryption
  • generate an initramfs containing:
    • Tor
    • Dropbear or TinySSH
    • cryptsetup
  • create a dedicated boot-time Onion Service
  • automatically switch to permanent runtime Onion Services after successful boot

From the administrator’s perspective, recovering a rebooted server would be as simple as:

torsocks ssh root@unlock-<hostname>.onion

Enter the passphrase.

The server continues booting.

Nothing is ever exposed to the public Internet.


Looking Ahead

This concept combines three mature technologies:

  • LUKS
  • Tor Onion Services
  • Remote initramfs unlocking

While each technology already exists independently, integrating them into a seamless provisioning workflow could significantly improve the security and usability of encrypted self-hosted infrastructure.

For projects focused on digital sovereignty and privacy, removing the need for publicly exposed management interfaces is a natural next step.



Leave a Reply

Your email address will not be published. Required fields are marked *