{"id":325,"date":"2012-10-24T01:09:07","date_gmt":"2012-10-23T23:09:07","guid":{"rendered":"https:\/\/www.dont-panic.cc\/capi\/?p=325"},"modified":"2022-05-16T22:10:02","modified_gmt":"2022-05-16T20:10:02","slug":"fully-encrypted-vserver-with-ubuntu-12-04","status":"publish","type":"post","link":"https:\/\/www.dont-panic.cc\/capi\/2012\/10\/24\/fully-encrypted-vserver-with-ubuntu-12-04\/","title":{"rendered":"HOWTO: Fully encrypted vServer with Ubuntu 12.04"},"content":{"rendered":"<p><strong>Update 2022-05-16:<\/strong> Today I learned that there are two official tutorials by Hetzner for Ubuntu 20.04. You might want to follow them instead:<\/p>\n<ul>\n<li><a href=\"https:\/\/community.hetzner.com\/tutorials\/install-ubuntu-2004-with-full-disk-encryption\">How to install Ubuntu 20.04 with full disk encryption<\/a><\/li>\n<li><a href=\"https:\/\/community.hetzner.com\/tutorials\/install-encrypted-ubuntu-2004-with-automated-unlock-via-tang-and-clevis\">How to install an encrypted ubuntu20.04 with automated unlocking via tang and clevis<\/a><\/li>\n<\/ul>\n<hr \/>\n<p>In this blog post I am going to demonstrate how to easily setup a virtual server at <a href=\"http:\/\/www.hetzner.de\/\">Hetzner<\/a>. This setup will work for most other vServer operators as well, but some adjustments may be required. <strong>Prerequisite<\/strong> is that you are able to <strong>access the console<\/strong> of \u00a0the server while booting, as you need to be able to enter the passphrase. You also need to be able to boot into some sort of &#8220;Rescue System&#8221; for the setup. This is no in-place setup. In Hetzner&#8217;s &#8220;<a href=\"https:\/\/robot.your-server.de\/\">Robot<\/a>&#8221; this is pretty easy.<\/p>\n<p>One thing to consider regarding security: <strong>fully encrypting a vServer might seem&#8230; senseless<\/strong>, as the host operator can easily copy the whole memory of the VM while running and extract the key this way. True. There is no way around this fact. My reason for wanting a fully encrypted system is more of the way that I want to be sure that the data is encrypted on the storage system. I want to protect from being unable to ever fully wipe the persistent data from disk in case I cancel the VM, the VM gets moved to a new host, or a failed disk is sent in to the manufacturer. For me, this is a compromise I can accept. YMMV.<\/p>\n<p>You can also try this HOWTO under <a href=\"https:\/\/www.virtualbox.org\/\">VirtualBox<\/a> with the <a href=\"http:\/\/www.sysresccd.org\/\">System Rescue CD ISO<\/a> images. Actually, that&#8217;s where I verified all steps are working.<\/p>\n<p>So, let&#8217;s dive into the fun of the HOWTO. <strong>BEWARE! THIS TUTORIAL WILL WIPE ALL DATA ON YOUR VSERVER! I TAKE NO RESPONSIBILITY IF YOU LOSE DATA! \u00a0IT MIGHT ALSO NOT WORK FOR YOU. USE THIS AT YOUR OWN RISK!<\/strong><\/p>\n<p>The following steps will partition the disk, setup LVM and LUKS, install Ubuntu 12.04 and prepare the system for reboot. Most parts can be copied line-by-line. Please beware that there are some parts in this tutorial that needs to be adjusted: UUIDs of partitions, hostname, username, and most important: network setup.<\/p>\n<p><!--more--><\/p>\n<p>The following steps were performed for my <a href=\"http:\/\/www.hetzner.de\/hosting\/produktmatrix_vserver\/vserver-produktmatrix\">Hetzner VQ7<\/a> instance directly after ordering it:<\/p>\n<p><strong>1. Reboot into Rescue System.<\/strong><\/p>\n<p><strong>2. Partition the disk<\/strong> using <code>cfdiskd \/dev\/sda<\/code> or <code>fdisk \/dev\/sda<\/code>, whichever you prefer.<br \/>\nYou need two paritions, <code>sda1<\/code> with about 256MB, which needs to be marked bootable and which later will be mounted as <code>\/boot<\/code> and <code>\/dev\/sda2<\/code> which should be the rest of the disk. This will be the LUKS container, which will then ultimately host the LVM with all other partitions.<\/p>\n<p><strong>3. Create LUKS container on <code>\/dev\/sda2<\/code>:<\/strong><\/p>\n<pre>apt-get install cryptsetup\n\ncryptsetup luksFormat \/dev\/sda2<\/pre>\n<p>At this point you need to confirm that you really want to wipe all data on <code>\/dev\/sda2<\/code> and then enter your encryption password, twice. Use a secure password here! Your entire encryption depends on this password.<\/p>\n<p><strong>4. Open the LUKS container and initialize an LVM volume group on the decrypted partition:<\/strong><\/p>\n<pre>cryptsetup luksOpen \/dev\/sda2 sda2_decrypt\n\nvgcreate vg-encrypted \/dev\/mapper\/sda2_decrypt<\/pre>\n<p><strong>5. Create swap and root partitions in LVM and create file-systems:<\/strong><\/p>\n<pre>lvcreate -L 2G -n swap vg-encrypted\nlvcreate -L 10G -n root vg-encrypted\n\nmkfs.ext2 \/dev\/sda1\nmkswap \/dev\/vg-encrypted\/swap\nmkfs.ext4 \/dev\/vg-encrypted\/root<\/pre>\n<p>I normally tend to only use the space I will likely need in short-term for root, as on LVM and with <code>ext4<\/code> you can always re-size the file-system even while the file-system is mounted. Keeping unallocated space in the volume-group provides more flexibility, like being able to add other partitions on demand, or cool features like LVM snapshots which can be quite handy for doing crash-consistent backups of the host.<\/p>\n<p><strong>6. Record UUIDs of partitions<\/strong><br \/>\nYou will need them later on:<\/p>\n<pre>blkid \/dev\/sda1 \/dev\/sda2 \/dev\/vg-encrypted\/root \/dev\/vg-enrypted\/swap<\/pre>\n<p>This will output something similar to the following:<\/p>\n<pre>\/dev\/sda1: UUID=\"e789d69e-1a90-492d-8a1e-1f719a3b754e\" TYPE=\"ext2\"\n\/dev\/sda2: UUID=\"f25ad69c-5c6e-4f35-b305-a8b193d58111\" TYPE=\"crypto_LUKS\"\n\/dev\/vg-encrypted\/root: UUID=\"d9f21bd7-508b-4404-916e-50fcc6b73f12\" TYPE=\"ext4\"\n\/dev\/vg-encrypted\/swap: UUID=\"e4c91de1-ad8d-4e05-9cee-2803d45840a2\" TYPE=\"swap\"<\/pre>\n<p>I will use this UUIDs for the rest of this HOWTO, be sure to replace them with your&#8217;s, wherever they are used below.<\/p>\n<p><strong>7. Mount target system for <code>debootstrap<\/code><\/strong><\/p>\n<pre>mkdir -p \/mnt\/ubuntu &amp;&amp; \\\nmount \/dev\/vg-encrypted\/root \/mnt\/ubuntu &amp;&amp; \\\nmkdir \/mnt\/ubuntu\/boot &amp;&amp; \\\nmount \/dev\/sda1 \/mnt\/ubuntu\/boot<\/pre>\n<p><strong>8. Download and install <code>debootstrap<\/code><\/strong><\/p>\n<pre>cd\nwget 'http:\/\/archive.ubuntu.com\/ubuntu\/pool\/main\/d\/debootstrap\/debootstrap_1.0.42_all.deb' &amp;&amp; \\\nar x debootstrap_1.0.42_all.deb &amp;&amp; \\\ncd \/ &amp;&amp; \\\ntar xzf \/root\/data.tar.gz<\/pre>\n<p>This will download <code>debootstrap<\/code> 1.0.42 which can install Ubuntu 12.04 (Precise) and install it in root of the rescue system.<\/p>\n<p><strong>9. Bootstrap Ubuntu onto the target disk<\/strong><\/p>\n<pre>debootstrap --arch amd64 precise \/mnt\/ubuntu<\/pre>\n<p>This will download and install the base packages for an Ubuntu 12.04 system and install it in <code>\/mnt\/ubuntu<\/code>, which is the root partition inside the encrypted LVM. This can take some time&#8230; Please also note that you need to bootstrap amd64 or the 32bit version, dependent of the rescue system you booted.<\/p>\n<p><strong>10. Mount \/ bind virtual filesystems and enter chroot<\/strong><\/p>\n<pre>mount -t proc none \/mnt\/ubuntu\/proc\nmount -o bind \/dev \/mnt\/ubuntu\/dev\nmount -o bind \/sys \/mnt\/ubuntu\/sys\n\ncp \/etc\/resolv.conf \/mnt\/ubuntu\/etc\/\n\nLANG=C chroot \/mnt\/ubuntu \/bin\/bash<\/pre>\n<p><strong>11. Configure disks, network, and hostname<br \/>\n<\/strong><strong>Attention!<\/strong> This are now sections that you <em>MUST<\/em> adapt for your system!<\/p>\n<pre>echo \"\nUUID=d9f21bd7-508b-4404-916e-50fcc6b73f12 \/ ext4 defaults,noatime 0 0\nUUID=e789d69e-1a90-492d-8a1e-1f719a3b754e \/boot ext2 defaults,relatime 0 1\nUUID=e4c91de1-ad8d-4e05-9cee-2803d45840a2 none swap sw 0 0\nproc \/proc proc defaults 0 0\nsys \/sys sysfs defaults 0 0\n\" &gt; \/etc\/fstab\n\necho MYHOSTNAME &gt; \/etc\/hostname\n\necho \"127.0.0.1 localhost\n127.0.1.1 MYHOSTNAME\n::1 localhost ip6-localhost ip6-loopback\nfe00::0 ip6-localnet\nff00::0 ip6-mcastprefix\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\n\" &gt; \/etc\/hosts\n\necho \"# interfaces(5) file used by ifup(8) and ifdown(8)\nauto lo\niface lo inet loopback\n\nauto eth0\niface eth0 inet static\naddress 192.168.15.105\nnetmask 255.255.255.0\ngateway 192.168.15.1\n\" &gt; \/etc\/network\/interfaces<\/pre>\n<p><strong>11. Configure Ubuntu mirror<\/strong><br \/>\nFor Hetzner, you can use the following setup:<\/p>\n<pre>echo \"# Packages and Updates from the Hetzner Ubuntu Mirror\ndeb ftp:\/\/mirror.hetzner.de\/ubuntu\/packages precise main restricted universe multiverse\ndeb ftp:\/\/mirror.hetzner.de\/ubuntu\/packages precise-updates main restricted universe multiverse\ndeb ftp:\/\/mirror.hetzner.de\/ubuntu\/security precise-security main restricted universe multiverse\n\ndeb http:\/\/archive.ubuntu.com\/ubuntu precise main\ndeb-src http:\/\/archive.ubuntu.com\/ubuntu precise main\n\ndeb http:\/\/security.ubuntu.com\/ubuntu precise-security main\ndeb-src http:\/\/security.ubuntu.com\/ubuntu precise-security main\n\" &gt; \/etc\/apt\/sources.list<\/pre>\n<p><strong>12. Install essential packages (Kernel, OpenSSH, &#8230;)<\/strong><\/p>\n<pre>dpkg-reconfigure tzdata\n\napt-get update\napt-get install aptitude openssh-server\napt-get install linux-image-generic\napt-get install cryptsetup lvm2<\/pre>\n<p>If you are asked where to install <code>grub<\/code>, chose <code>\/dev\/sda<\/code>.<\/p>\n<p><strong>13. Setup LUKS for boot<\/strong><\/p>\n<pre>echo \"# &lt;target name&gt; &lt;source device&gt; &lt;key file&gt; &lt;options&gt;\nsda2_decrypt UUID=f25ad69c-5c6e-4f35-b305-a8b193d58111 none luks\n\" &gt; \/etc\/crypttab\necho \"dm-crypt\" &gt;&gt; \/etc\/modules\n\necho \"aes\" &gt;&gt; \/etc\/initramfs-tools\/modules\necho \"aes_i586\" &gt;&gt; \/etc\/initramfs-tools\/modules\necho \"aes_x86_64\" &gt;&gt; \/etc\/initramfs-tools\/modules\necho \"aes_generic\" &gt;&gt; \/etc\/initramfs-tools\/modules\necho \"dm-crypt\" &gt;&gt; \/etc\/initramfs-tools\/modules\necho \"dm-mod\" &gt;&gt; \/etc\/initramfs-tools\/modules\necho \"sha256\" &gt;&gt; \/etc\/initramfs-tools\/modules\necho \"sha256_generic\" &gt;&gt; \/etc\/initramfs-tools\/modules\necho \"lrw\" &gt;&gt; \/etc\/initramfs-tools\/modules\necho \"xts\" &gt;&gt; \/etc\/initramfs-tools\/modules\necho \"crypto_blkcipher\" &gt;&gt; \/etc\/initramfs-tools\/modules\necho \"gf128mul\" &gt;&gt; \/etc\/initramfs-tools\/modules\n\nupdate-initramfs -u -k all<\/pre>\n<p><strong>13. Create a user<\/strong><\/p>\n<pre>adduser myuser\naddgroup --system admin\nadduser myuser admin<\/pre>\n<p><strong>14. Exit chroot, umount, and reboot<\/strong><br \/>\nBasically we are done now. We can leave chroot, reboot the system.<\/p>\n<p>When the server reboots, observe it in the console, you&#8217;ll need to enter the password anyways.<\/p>\n<p><strong>Known problems:<\/strong><\/p>\n<p>I have experienced that after the latest kernel update for some reasons the prompt for the password does no longer work. In this case I disabled <code>quiet splash<\/code> in <code>\/etc\/default\/grub<\/code>.<\/p>\n<p>I also currently am having an issue that the encrypted container is not recognized by the initramfs, so it falls to busybox. If I open the LUKS container there manually and scan for LVM, and then exit the busy box, boot resumes as it should.<\/p>\n<pre>cryptsetup luksOpen \/dev\/sda2 sda2_decrypt\n\nlvm vgchange -a y\n\nexit<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Update 2022-05-16: Today I learned that there are two official tutorials by Hetzner for Ubuntu 20.04. You might want to follow them instead: How to install Ubuntu 20.04 with full disk encryption How to install an encrypted ubuntu20.04 with automated unlocking via tang and clevis In this blog post I am going to demonstrate how &hellip; <a href=\"https:\/\/www.dont-panic.cc\/capi\/2012\/10\/24\/fully-encrypted-vserver-with-ubuntu-12-04\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;HOWTO: Fully encrypted vServer with Ubuntu 12.04&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,10],"tags":[183,36,48,220],"class_list":["post-325","post","type-post","status-publish","format-standard","hentry","category-computer","category-sysadmin","tag-encryption","tag-howto","tag-linux","tag-vserver"],"_links":{"self":[{"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/posts\/325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/comments?post=325"}],"version-history":[{"count":43,"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/posts\/325\/revisions"}],"predecessor-version":[{"id":599,"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/posts\/325\/revisions\/599"}],"wp:attachment":[{"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/media?parent=325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/categories?post=325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dont-panic.cc\/capi\/wp-json\/wp\/v2\/tags?post=325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}