diff --git a/extensions/fs-cryptroot-support.sh b/extensions/fs-cryptroot-support.sh
index d5159c0fd6..9771c45ed1 100644
--- a/extensions/fs-cryptroot-support.sh
+++ b/extensions/fs-cryptroot-support.sh
@@ -5,4 +5,49 @@
 function add_host_dependencies__add_cryptroot_tooling() {
 	display_alert "Adding cryptroot to host dependencies" "cryptsetup LUKS" "debug"
 	EXTRA_BUILD_DEPS="${EXTRA_BUILD_DEPS} cryptsetup openssh-client" # @TODO: convert to array later
+
+	display_alert "Adding rootfs encryption related packages" "cryptsetup cryptsetup-initramfs" "info"
+	add_packages_to_rootfs cryptsetup cryptsetup-initramfs
+
+	if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then
+		display_alert "Adding rootfs encryption related packages" "dropbear-initramfs" "info"
+		add_packages_to_rootfs dropbear-initramfs
+	fi
+}
+
+function pre_install_kernel_debs__adjust_dropbear_configuration() {
+	# Adjust initramfs dropbear configuration
+	# Needs to be done before kernel installation, else it won't be in the initrd image
+	if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then
+		# Set the port of the dropbear ssh daemon in the initramfs to a different one if configured
+		# this avoids the typical 'host key changed warning' - `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!`
+		[[ -f "${SDCARD}"/etc/dropbear-initramfs/config ]] &&
+			sed -i 's/^#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-p '"${CRYPTROOT_SSH_UNLOCK_PORT}"'"/' \
+				"${SDCARD}"/etc/dropbear-initramfs/config
+
+		# setup dropbear authorized_keys, either provided by userpatches or generated
+		if [[ -f $USERPATCHES_PATH/dropbear_authorized_keys ]]; then
+			cp "$USERPATCHES_PATH"/dropbear_authorized_keys "${SDCARD}"/etc/dropbear-initramfs/authorized_keys
+		else
+			# generate a default ssh key for login on dropbear in initramfs
+			# this key should be changed by the user on first login
+			display_alert "Generating a new SSH key pair for dropbear (initramfs)" "" ""
+
+			# Make sure that the relevant directory exists
+			[[ -d "${SDCARD}"/etc/dropbear-initramfs ]] || mkdir "${SDCARD}"/etc/dropbear-initramfs
+
+			# Generate the SSH keys
+			ssh-keygen -t ecdsa -f "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa \
+				-N '' -O force-command=cryptroot-unlock -C 'AUTOGENERATED_BY_ARMBIAN_BUILD' 2>&1
+
+			# /usr/share/initramfs-tools/hooks/dropbear will automatically add 'id_ecdsa.pub' to authorized_keys file
+			# during mkinitramfs of update-initramfs
+			#cat "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa.pub > "${SDCARD}"/etc/dropbear-initramfs/authorized_keys
+			CRYPTROOT_SSH_UNLOCK_KEY_NAME="${VENDOR}_${REVISION}_${BOARD^}_${RELEASE}_${BRANCH}_${DESKTOP_ENVIRONMENT}".key
+			# copy dropbear ssh key to image output dir for convenience
+			cp "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa "${DEST}/images/${CRYPTROOT_SSH_UNLOCK_KEY_NAME}"
+			display_alert "SSH private key for dropbear (initramfs) has been copied to:" \
+				"$DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME" "info"
+		fi
+	fi
 }
diff --git a/lib/functions/rootfs/distro-agnostic.sh b/lib/functions/rootfs/distro-agnostic.sh
index 57eafcc42b..01ee85879d 100644
--- a/lib/functions/rootfs/distro-agnostic.sh
+++ b/lib/functions/rootfs/distro-agnostic.sh
@@ -10,18 +10,6 @@
 function install_distribution_agnostic() {
 	display_alert "Installing distro-agnostic part of rootfs" "install_distribution_agnostic" "debug"
 
-	# install rootfs encryption related packages separate to not break packages cache
-	# @TODO: terrible, this does not use apt-cacher, extract to extension and fix
-	if [[ $CRYPTROOT_ENABLE == yes ]]; then
-		display_alert "Installing rootfs encryption related packages" "cryptsetup" "info"
-		chroot_sdcard_apt_get_install cryptsetup
-		if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then
-			display_alert "Installing rootfs encryption related packages" "dropbear-initramfs" "info"
-			chroot_sdcard_apt_get_install dropbear-initramfs cryptsetup-initramfs
-		fi
-
-	fi
-
 	# Bail if $ROOTFS_TYPE not set
 	[[ -z $ROOTFS_TYPE ]] && exit_with_error "ROOTFS_TYPE not set" "install_distribution_agnostic"
 
@@ -30,42 +18,6 @@ function install_distribution_agnostic() {
 	# required for initramfs-tools-core on Stretch since it ignores the / fstab entry
 	echo "/dev/mmcblk0p2 /usr $ROOTFS_TYPE defaults 0 2" >> "${SDCARD}"/etc/fstab
 
-	# @TODO: refacctor this into cryptroot extension
-	# adjust initramfs dropbear configuration
-	# needs to be done before kernel installation, else it won't be in the initrd image
-	if [[ $CRYPTROOT_ENABLE == yes && $CRYPTROOT_SSH_UNLOCK == yes ]]; then
-		# Set the port of the dropbear ssh daemon in the initramfs to a different one if configured
-		# this avoids the typical 'host key changed warning' - `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!`
-		[[ -f "${SDCARD}"/etc/dropbear-initramfs/config ]] &&
-			sed -i 's/^#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-p '"${CRYPTROOT_SSH_UNLOCK_PORT}"'"/' \
-				"${SDCARD}"/etc/dropbear-initramfs/config
-
-		# setup dropbear authorized_keys, either provided by userpatches or generated
-		if [[ -f $USERPATCHES_PATH/dropbear_authorized_keys ]]; then
-			cp "$USERPATCHES_PATH"/dropbear_authorized_keys "${SDCARD}"/etc/dropbear-initramfs/authorized_keys
-		else
-			# generate a default ssh key for login on dropbear in initramfs
-			# this key should be changed by the user on first login
-			display_alert "Generating a new SSH key pair for dropbear (initramfs)" "" ""
-
-			# Make sure that the relevant directory exists
-			[[ -d "${SDCARD}"/etc/dropbear-initramfs ]] || mkdir "${SDCARD}"/etc/dropbear-initramfs
-
-			# Generate the SSH keys
-			ssh-keygen -t ecdsa -f "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa \
-				-N '' -O force-command=cryptroot-unlock -C 'AUTOGENERATED_BY_ARMBIAN_BUILD' 2>&1
-
-			# /usr/share/initramfs-tools/hooks/dropbear will automatically add 'id_ecdsa.pub' to authorized_keys file
-			# during mkinitramfs of update-initramfs
-			#cat "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa.pub > "${SDCARD}"/etc/dropbear-initramfs/authorized_keys
-			CRYPTROOT_SSH_UNLOCK_KEY_NAME="${VENDOR}_${REVISION}_${BOARD^}_${RELEASE}_${BRANCH}_${DESKTOP_ENVIRONMENT}".key
-			# copy dropbear ssh key to image output dir for convenience
-			cp "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa "${DEST}/images/${CRYPTROOT_SSH_UNLOCK_KEY_NAME}"
-			display_alert "SSH private key for dropbear (initramfs) has been copied to:" \
-				"$DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME" "info"
-		fi
-	fi
-
 	# create modules file
 	local modules=MODULES_${BRANCH^^}
 	if [[ -n "${!modules}" ]]; then