This should be a clean step-by-step guide how to setup a hetzner root server from the server auctions at hetzners "serverbörse" to get a fully encrypted software raid1 with lvm on top.
The goal of this guide is to have a server system that has encrypted drives and is remotely unlockable.
This guide could work at any other provider with a rescue system.
"Dedicated Root Server SB36"
- Intel Xeon E3-1246V3
- 2x HDD SATA 2,0 TB Enterprise (or any nvme drives with swraid)
- 4x RAM 8192 MB DDR3
- Boot to the rescue system via hetzners server management page
- install a minimal Ubuntu 18.04 LTS or 20.04 LTS with hetzners "installimage" skript (https://wiki.hetzner.de/index.php/Installimage)
- I chose the following logical volumes on my system to keep it simple:
PART /boot ext3 512M
PART lvm vg0 all
LV vg0 home /home ext4 60G
LV vg0 log /log ext4 30G
LV vg0 swap swap swap 10G
LV vg0 root / ext4 1000G
- after you adjusted all parameters in the install config file, press F10 to install the ubuntu minimal system
- reboot and ssh into your fresh installed ubuntu
- connect via ssh-key you choosed before for the rescue image (attention to the .ssh/known_hosts file..)
- install required packages
apt update && apt install busybox dropbear lvm2 vim cryptsetup-initramfs dropbear-initramfs- Create a new ssh key for unlocking your encrypted volumes when it is rebooting LOCALLY
ssh-keygen -t rsa -b 4096 -f .ssh/dropbear- Create the needed folders for dropbear keys
mkdir -p /etc/initramfs-tools/root/.ssh/vi /etc/dropbear-initramfs/authorized_keys- Paste your local pub key
.ssh/dropbear.pubin there - reboot again to the rescue system via the hetzner webinterface
This steps should be done after the initial md replication
(get the progress with cat /proc/mdstat)
You can speed up the replication on SSD servers by typing:
echo 5000000 > /proc/sys/dev/raid/speed_limit_max
If you can not find anything in /dev/mapper/* you will have to activate the volumes first.
lvm vgscan -v
Activate all volume groups:
lvm vgchange -a y
We now rsync our installation into the new encrypted drives
mkdir /oldroot/mount /dev/mapper/vg0-root /mnt/mount /dev/mapper/vg0-home /mnt/homemount /dev/mapper/vg0-log /mnt/var/logrsync -a /mnt/ /oldroot/(this could take a while)umount /mnt/home/umount /mnt/var/log/umount /mnt/
Backup your old vg0 configuration to keep things simple and remove the old volume group:
vgcfgbackup vg0 -f vg0.freespacevgremove vg0
After this, we encrypt our raid 1 now.
cryptsetup --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 6000 luksFormat /dev/md1(!!!Choose a strong passphrase (something likepwgen 64 1)!!!)cryptsetup luksOpen /dev/md1 cryptroot- now create the physical volume on your mapper:
pvcreate /dev/mapper/cryptroot
We have now to edit your vg0 backup:
blkid /dev/mapper/cryptrootResults in:/dev/mapper/cryptroot: UUID="HEZqC9-zqfG-HTFC-PK1b-Qd2I-YxVa-QJt7xQ"cp vg0.freespace /etc/lvm/backup/vg0
Now edit the id (UUID from above) and device (/dev/mapper/cryptroot) properties nested at vg0 > physical_volumes > pv0 in the file according to our installation
vi /etc/lvm/backup/vg0- Restore the vgconfig:
vgcfgrestore vg0 - Resize PV to the new size:
pvresize /dev/mapper/cryptroot vgchange -a y vg0
Ok, the filesystem is missing, lets create it:
mkfs.ext4 /dev/vg0/rootmkfs.ext4 /dev/vg0/logmkfs.ext4 /dev/vg0/homemkswap /dev/vg0/swap
Now we mount and copy our installation back on the new lvs:
mount /dev/vg0/root /mnt/mkdir /mnt/home /mnt/var /mnt/var/logmount /dev/vg0/log /mnt/var/log/mount /dev/vg0/home /mnt/homersync -a /oldroot/ /mnt/
Lets mount some special filesystems for chroot usage:
mount /dev/md0 /mnt/bootmount --bind /dev /mnt/devmount --bind /sys /mnt/sysmount --bind /proc /mnt/procchroot /mnt
To let the system know there is a new crypto device we need to edit the cryptab(/etc/crypttab):
vi /etc/crypttab- copy the following line in there:
cryptroot /dev/md1 none luks
Regenerate the initramfs:
update-initramfs -uupdate-grubgrub-install /dev/sda(orgrub-install /dev/nvme0n1if you use nvme)grub-install /dev/sdb(orgrub-install /dev/nvme1n1if you use nvme)
Time for our first reboot.. fingers crossed!
exitumount /mnt/boot /mnt/home /mnt/var/log /mnt/proc /mnt/sys /mnt/devumount /mntsyncreboot
After a few seconds the dropbear ssh server is coming up on your system, connect to it and unlock your system like this:
ssh -i .ssh/dropbear root@<yourserverip>- a busybox shell should come up
- unlock your lvm drive with:
echo -ne "<yourstrongpassphrase>" > /lib/cryptsetup/passfifo
You can further secure dropbear by changing its port and disabling unnecessary features:
vi /etc/dropbear-initramfs/config- add the line
DROPBEAR_OPTIONS="-p 2222 -s -j -k -I 30" update-initramfs -u
This makes dropbear to listen to port 2222 instead of 22, -s disables password logins, -j -k disables port forwarding, -I 30 sets the idle timeout to 30 seconds.
Additionally you can alter the authorized_keys file to show the cryptsetup password prompt directly instead of the busybox prompt (and disable further unnecessary SSH features):
vi /etc/dropbear-initramfs/authorized_keys- alter your public key like this:
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock" ssh-rsa ... update-initramfs -u
Reboot you server and unlock your system using
ssh -p 2222 -i .ssh/dropbear root@<yourserverip>
Now, the whole SSH session looks really neat (and your password is not shown while entering):
Please unlock disk cryptroot (/dev/md1):
cryptsetup: cryptroot set up successfully
Connection to <yourserverip> closed.
Special thanks to the people who wrote already this guides:
- http://notes.sudo.is/RemoteDiskEncryption
- https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
- https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/
- PRs are very welcome or open an issue if something not works for you as described
- Tested this guide on 25.10.2017 on my own hetzner system, its working pretty good :-)
- tested again by a contributor on 03.03.2019 and 11.03.2019