This should be a clean step-by-step guide how to setup a hetzner root server from the server auctions at hetzners "serverbörse" to get a fully encrypted software raid1 with lvm on top.
The goal of this guide is to have a server system that has encrypted drives and will be unlocked by tang / clevis network unlocking. This guide could work at any other provider with a rescue system as well. This guide was only possible because there exist the real well developer guide at https://community.hetzner.com/tutorials/install-encrypted-ubuntu-2004-with-automated-unlock-via-tang-and-clevis.
"Dedicated Root Server SBxx"
- 2x HDD SATA 2+ TB Enterprise
- HW RAID
- 1x SSD
- 4x RAM 8192 MB DDR3
- Boot to the rescue system via hetzners server management page
- Set variables:
TANG_SERVER=http://yourserver:yourport
ENC_SECRET=
MYHOSTNAME=
DEVICE2INSTALL=/dev/sdb- Add setup.conf:
cat << EOF > /tmp/setup.conf
CRYPTPASSWORD ${ENC_SECRET}
HOSTNAME ${MYHOSTNAME}
DRIVE1 ${DEVICE2INSTALL} # please use the correct one if you have an additional SSD it can be that sdb must be used...
BOOTLOADER grub
PART /boot ext4 1G
PART lvm vg0 all crypt
#PART / ext4 all crypt
IMAGE /root/images/Ubuntu-2004-focal-64-minimal.tar.gz
SSHKEYS_URL /tmp/authorized_keys
LV vg0 root / ext4 20G
LV vg0 swap swap swap 10G
LV vg0 var-log /var/log ext4 10G
LV vg0 backup /backup xfs 400G
LV vg0 var /var xfs 400G
EOF- add public key of SSH key which you want to be used in the new system
vi /tmp/authorized_keys
:wq- Add post-install script
cat << MUH > /tmp/post-install.sh
#!/bin/bash
add_rfc3442_hook() {
cat << EOF > /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
#!/bin/sh
PREREQ=""
prereqs()
{
echo "\\$PREREQ"
}
case \\$1 in
prereqs)
prereqs
exit 0
;;
esac
if [ ! -x /sbin/dhclient ]; then
exit 0
fi
. /usr/share/initramfs-tools/scripts/functions
. /usr/share/initramfs-tools/hook-functions
mkdir -p \\$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
cp -a /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes \\$DESTDIR/etc/dhcp/dhclient-exit-hooks.d/
EOF
chmod +x /etc/initramfs-tools/hooks/add-rfc3442-dhclient-hook
}
# Install hook
add_rfc3442_hook
# Update system
apt-get update >/dev/null
# Install clevis on the system and add clevis to the initramfs
apt-get -y install clevis clevis-luks clevis-initramfs cryptsetup-initramfs lvm2
# Get the key from the tang server and then bind the device to the tang server
curl -sfg ${TANG_SERVER}/adv -o /tmp/adv.jws
echo "${ENC_SECRET}" | clevis luks bind -d ${DEVICE2INSTALL}2 tang '{"url": "${TANG_SERVER}" , "adv": "/tmp/adv.jws" }'
# Update the existing initramfs
update-initramfs -u
MUH- change permission:
chmod +x /tmp/post-install.sh - install system:
installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh - reboot if no errors were there
Special thanks to the people who wrote already this guides:
- http://notes.sudo.is/RemoteDiskEncryption
- https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
- https://community.hetzner.com/tutorials/install-encrypted-ubuntu-2004-with-automated-unlock-via-tang-and-clevis
- PRs are very welcome or open an issue if something not works for you as described
- Tested this guide on 25.10.2017 on my own hetzner system, its working pretty good :-)