Remote servers should not have to choose between security and availability.
For years, the common compromise has been to expose SSH to the public Internet or to rely on VPNs and provider-specific KVM consoles whenever a LUKS-encrypted server reboots.
I believe there is a better approach.
By combining LUKS, Tor Onion Services, and a lightweight SSH server running directly inside the initramfs, it is possible to build servers that remain fully encrypted at rest, yet can always be unlocked remotely without exposing any public management interface.
This article describes the concept and how it could evolve into a reusable feature for Infinito.Nexus.
The Problem
Full disk encryption protects data when a server is powered off.
However, after every reboot someone must enter the LUKS passphrase.
For remote dedicated servers this usually means one of the following:
- opening SSH to the Internet
- connecting through a VPN
- using a provider’s KVM/IPMI console
- booting into a rescue system
While remote unlocking via Dropbear inside the initramfs is already a well-known solution, it still typically relies on a publicly reachable IP address.
The Idea
Instead of exposing SSH publicly, start Tor directly inside the initramfs.
The boot sequence would look like this:
Server boots
│
▼
Kernel + initramfs
│
▼
Network initialization
│
▼
Tor starts
│
▼
Temporary Onion Service appears
unlock-xxxxxxxx.onion
│
▼
SSH via Tor
│
▼
cryptsetup luksOpen
│
▼
Root filesystem unlocked
│
▼
Operating system boots
│
▼
Temporary Onion Service disappears
The administrator simply connects through Tor:
torsocks ssh
After entering the LUKS passphrase, the operating system continues booting normally.
Separate Identities for Boot and Runtime
One of the strongest aspects of this design is that boot-time and runtime use different Onion identities.
Boot environment
- dedicated Ed25519 key
- dedicated Onion address
- only SSH
- exists only during boot
Example:
unlock-xxxxxxxx.onion
Runtime environment
Once the operating system has booted:
- the initramfs exits
- Tor inside initramfs stops
- a new Tor instance starts
- completely different Onion addresses become available
For example:
ssh-xxxxxxxx.onion
cloud-xxxxxxxx.onion
matrix-xxxxxxxx.onion
mail-xxxxxxxx.onion
The unlock address simply disappears.
This cleanly separates the trust boundaries between the bootloader environment and the running operating system.
Why Tor?
Using Tor instead of exposing SSH directly provides several advantages:
- no public IP address required
- no exposed SSH port
- no VPN infrastructure
- works behind NAT or Carrier-Grade NAT
- management interface is only reachable through the Tor network
- additional network privacy
- ideal for self-hosted infrastructure
This is particularly attractive for servers hosted in data centers where administrators rarely have physical access.
What Happens After a Crash?
Whenever the server reboots:
- the initramfs starts
- networking is initialized
- Tor publishes the temporary Onion Service
- you connect via SSH
- you unlock LUKS
- the server continues booting
No KVM console.
No VPN.
No public SSH endpoint.
Only Tor.
Of course, catastrophic failures such as a broken initramfs or missing network drivers still require traditional recovery methods such as a rescue system or KVM.
Existing Building Blocks
Most of the required components already exist today.
My repository hetzner-arch-luks demonstrates how to deploy Arch Linux with full disk encryption on Hetzner servers and configure remote unlocking via SSH during the initramfs stage.
Repository:
https://github.com/kevinveenbirkenbach/hetzner-arch-luks
Another project, linux-image-manager, automates the creation and customization of Linux images and could serve as the foundation for embedding Tor, Dropbear/TinySSH, and the required initramfs configuration into reusable images.
Repository:
https://github.com/kevinveenbirkenbach/linux-image-manager
Together, these repositories provide much of the groundwork required for a fully automated implementation.
Future Integration into Infinito.Nexus
I envision this becoming a native feature of Infinito.Nexus.
Provisioning a server could automatically:
- install Arch Linux
- configure LUKS full disk encryption
- generate an initramfs containing:
- Tor
- Dropbear or TinySSH
- cryptsetup
- create a dedicated boot-time Onion Service
- automatically switch to permanent runtime Onion Services after successful boot
From the administrator’s perspective, recovering a rebooted server would be as simple as:
torsocks ssh root@unlock-<hostname>.onion
Enter the passphrase.
The server continues booting.
Nothing is ever exposed to the public Internet.
Looking Ahead
This concept combines three mature technologies:
- LUKS
- Tor Onion Services
- Remote initramfs unlocking
While each technology already exists independently, integrating them into a seamless provisioning workflow could significantly improve the security and usability of encrypted self-hosted infrastructure.
For projects focused on digital sovereignty and privacy, removing the need for publicly exposed management interfaces is a natural next step.

Leave a Reply