March 5, 2026
Boot heist, home edition
Remotely unlocking an encrypted hard disk
Unlock your PC from anywhere — fans cheer, security pros panic
TLDR: A developer added remote unlock to the tiny boot OS so they can access an encrypted computer after power outages. Comments split: convenience lovers cite tools like dracut‑sshd and Wi‑Fi hooks, while security purists warn the key can be intercepted and push integrity protections like dm‑verity.
One developer pulled a Mission Impossible: slip a private VPN called Tailscale and a tiny boot-time OS into the earliest part of startup so they can unlock an encrypted computer from far away. The crowd went wild — and divided. Old-schoolers waved receipts, with mmh0000 pointing to veteran tool dracut-sshd, while kotaKat noted Windows shops have used remote pre-boot unlocks for ages. Convenience fans loved the idea: when your house loses power and your server reboots, you don’t want to drive home just to type a password.
Then came the security sirens. ycombinatrix warned that a thief with physical access could intercept the unlock key — “defeats the purpose,” they argued — and urged integrity checks like dm-verity (a system that verifies files haven’t been changed). Others fretted about storing keys in that “initramfs,” a tiny memory-only OS, even with strict access control lists (ACLs) and locked-down shells. The DIY crowd flexed: wildzzz bragged about a Raspberry Pi crashcart that literally presses the power button, and hrtk dropped a Wi‑Fi hook to auto-connect and unlock. Jokes flew: “It’s a smart doorbell for your boot screen,” “a whole‑ass OS before the real OS,” and plenty of spy‑movie memes. The room split between thrill-seekers who want remote unlocks and purists who say, if anyone can tamper with your box, no trick beats a good physical lock.
Key Points
- •The article proposes running Tailscale and SSH inside initramfs to enable remote unlocking of an encrypted disk on an Arch Linux system.
- •Initramfs is described as a minimal OS loaded from /boot and executed in memory during early boot, capable of running systemd and additional tools.
- •Three implementation parts are identified: networking in initramfs, running Tailscale in initramfs, and providing SSH access in initramfs.
- •Security concerns include unencrypted Tailscale keys in initramfs, default 90-day key expiration, and preventing general SSH access to early boot.
- •Mitigations include using Tailscale ACLs to restrict access, setting non-expiring keys, and limiting SSH to the unlock command (systemd-tty-ask-password-agent).