In this short tutorial, I will show you how to unlock your luks encrypted root file system on RHEL 8 / CentOS 8, remotely via SSH. To accomplish this task, we will use 3rd party dracut module - dracut-sshd.

Before we begin, we will need some details for our system - Ethernet device, IP address, NETMASK and Gateway.

In this example my configuration is as follow:

Ethernet: eth0

Generate SSH key pair

We need to generate a public-private ssh keys and include them in initramfs.

ssh-keygen -t rsa 
ssh-copy-id -i ~/.ssh/ root@

Install dracut-sshd

This Dracut module (dracut-sshd) integrates the OpenSSH sshd into the initramfs. It allows for remote unlocking of a fully encrypted root filesystem and remote access to the Dracut emergency shell (i.e. early userspace). [1]

dnf copr enable gsauthof/dracut-sshd
dnf install dracut-sshd

Enable dracut Network

Here, we add early network capabilities to initramfs. Update network configuration to match your requirements.

cat <<EOF  >> /etc/dracut.conf.d/99-network.conf

Syntax is:


Force Dracut initram regeneration

In order to include our SSH keys and dracut network configuration, we will force dracut to regenerate initramfs image.

dracut -f

Flush Dracut network configuration

Since IP address configuration is set via kernel, NetworkManager will not load your configuration from real root filesystem. This will be a problem if you have IP aliasess, bonds, bridge, vlans & etc. configured on your real root.

If your system has one IP address, you can skip these steps.

cat <<EOF >> /etc/systemd/system/flush-dracut-network\@.service
Description=Remove dracut's network configuration for %I

ExecStartPre=/usr/sbin/ip address show %i
ExecStart=/usr/sbin/ip -statistics address flush dev %i


Enable systemd unit to flush dracut configuration on our ethernet interface.

systemctl enable flush-dracut-network@eth0

Reboot your machine and test : )

Once the initrd load and network is fired up, you should be able to login via SSH and unlock your encrypted root file system with single command - systemd-tty-ask-password-agent. Here is an example:

ssh root@
initramfs-ssh:/root# systemd-tty-ask-password-agent
Please enter passphrase for disk QEMU_HARDDISK (luks-01a6fbf5-779e-47c0-b7bd-efca0252d5d9)! ********
initramfs-ssh:/root# Connection to closed by remote host.
Connection to closed.

[4] Photo: Markus Winkler