diff --git a/config/hooks/live/0022_dropbear_setup.chroot b/config/hooks/live/0022_dropbear_setup.chroot
index d63f6b4..bcfddc9 100644
--- a/config/hooks/live/0022_dropbear_setup.chroot
+++ b/config/hooks/live/0022_dropbear_setup.chroot
@@ -95,7 +95,7 @@ write_dropbear_conf() {
   [[ -z "${sshport:-}" ]] && sshport="2222"
 
   ### CISS internal
-  [[ "${sshport}" == "42137" ]] && sshport="64137"
+  [[ "${sshport}" == "42137" ]] && sshport="44137"
 
   cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
 # SPDX-Version: 3.0
diff --git a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
index e2c2b88..280181b 100644
--- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
+++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
@@ -115,6 +115,68 @@ console_printf() {
   return 0
 }
 
+#######################################
+# Clear the current console line without making cleanup fatal.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: always, console cleanup failure is not fatal
+#######################################
+console_clear_line() {
+  console_printf '\r\033[K'
+
+  return 0
+}
+
+#######################################
+# Wait for an explicit local-console unlock activation.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: local console activation was requested
+#   1: console unavailable or activation read failed
+#######################################
+wait_for_local_unlock_activation() {
+  LOCAL_UNLOCK_SAVED_STTY=""
+  LOCAL_UNLOCK_READ_STATUS=0
+
+  ensure_minimal_dev_nodes
+
+  [ -c /dev/console ] || return 1
+  exec 9<>/dev/console || return 1
+
+  LOCAL_UNLOCK_SAVED_STTY=$(stty -g <&9 2>&- || printf '')
+  trap 'if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then stty "${LOCAL_UNLOCK_SAVED_STTY}" <&9 2>&- || :; fi; printf "\r\033[K" >&9 2>&- || :; exec 9>&-; exit 143' TERM INT HUP
+
+  if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then
+
+    stty -echo <&9 2>&- || :
+
+  fi
+
+  printf '\e[93m[INFO] Press Enter for local unlock: \e[0m' >&9 || :
+  IFS= read -r _ <&9
+  LOCAL_UNLOCK_READ_STATUS="$?"
+
+  if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then
+
+    stty "${LOCAL_UNLOCK_SAVED_STTY}" <&9 2>&- || :
+
+  fi
+
+  printf '\r\033[K' >&9 || :
+  exec 9>&-
+  trap - TERM INT HUP
+
+  [ "${LOCAL_UNLOCK_READ_STATUS}" -eq 0 ] || return 1
+
+  return 0
+}
+
 ensure_minimal_dev_nodes
 
 printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
@@ -428,6 +490,9 @@ PID_BROKER="$!"
 
     if [ "${PASS_SENT}" -eq 0 ]; then
 
+      # shellcheck disable=SC2310
+      wait_for_local_unlock_activation || continue
+
       console_printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m'
 
       # shellcheck disable=SC2310
@@ -492,6 +557,7 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
   kill "${PID_BROKER}" 2>&- || true
   wait "${PID_PROMPT}" 2>&- || true
   wait "${PID_BROKER}" 2>&- || true
+  console_clear_line
 
   rm -f /lib/cryptsetup/passfifo 2>&- || true
 
@@ -506,6 +572,7 @@ kill "${PID_PROMPT}" 2>&- || true
 kill "${PID_BROKER}" 2>&- || true
 wait "${PID_PROMPT}" 2>&- || true
 wait "${PID_BROKER}" 2>&- || true
+console_clear_line
 
 rm -f /lib/cryptsetup/passfifo 2>&- || true