Remote Unlock with Genkernel

First step is to define an overlay.

/etc/genkernel.conf

...
INITRAMFS_OVERLAY="/usr/src/initramfs"

Next, create the overlay directory along with root's home directory.

mkdir -p /usr/src/initramfs/root

Now let's create the skeleton for an unlock.sh script.

/usr/src/initramfs/root/unlock.sh

#!/bin/sh

modprobe loop
echo " * opening keyfile, need password"
exit 0

make it executable.

chmod 700 /usr/src/initramfs/root/unlock.sh

Now edit your grub defaults

/etc/default/grub

GRUB_CMDLINE_LINUX="dosshd"
# may also need dozfs domdadm root=ZFS

Now when you run genkernel, use the following parameters.

genkernel --install --ssh --ssh-authorized-keys-file=/root/.ssh/authorized_keys --luks --bootloader=grub2 --mountboot --no-splash initramfs
# may also need --mdadm --zfs
...
*         >> Appending dropbear cpio data ...
=================================================================
This initramfs' sshd will use the following host key(s):
2048 MD5:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (RSA)
2048 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (RSA)
256 MD5:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (ECDSA)
256 SHA256:  (ECDSA)
256 MD5:  (ED25519)
256 SHA256:  (ED25519)
=================================================================
*         >> Appending luks cpio data ...
...
*         >> Appending overlay cpio data ...

Finally, rebuild grub.

grub-mkconfig -o /boot/grub/grub.cfg

When you login, I recommend using ssh.forget when you are testing. This will save you a little time deleting host keys over and over. I don't like the boot environment and production have the same host keys. One way to address this is setting an "unlock" CNAME in your DNS records.